Application Guidelines and Implementation Roadmap · 2012-01-25 · The implementation roadmap...
Transcript of Application Guidelines and Implementation Roadmap · 2012-01-25 · The implementation roadmap...
Building Radio frequency IDentification for the Global Environment
Application Guidelines and Implementation Roadmap
Authors: Mikko Lehtonen (ETH Zurich), Jasser Al-Kassab (SAP), Sebastian Lekies (SAP)
June 2009 This work has been partly funded by the European Commission contract No: IST-2005-033546
About the BRIDGE Project:
BRIDGE (Building Radio frequency IDentification for the Global Environment) is a 13 million Euro RFID project running over 3 years and partly funded (€7,5 million) by the European Union. The objective of the BRIDGE project is to research, develop and implement tools to enable the deployment of EPCglobal applications in Europe. Thirty interdisciplinary partners from 12 countries (Europe and Asia) are working together on : Hardware development, Serial Look-up Service, Serial-Level Supply Chain Control, Security; Anti-counterfeiting, Drug Pedigree, Supply Chain Management, Manufacturing Process, Reusable Asset Management, Products in Service, Item Level Tagging for non-food items as well as Dissemination tools, Education material and Policy recommendations. For more information on the BRIDGE project: www.bridge-project.eu This document results from work being done in the framework of the BRIDGE project. It does not represent an official deliverable formally approved by the European Commission.
This document:
This document presents application guidelines and implementation roadmap for the technical anti-counterfeiting measures developed in BRIDGE WP5. While various RFID implementation guidelines and checklists have been published, they do not cover the use of EPC/RFID in anti-counterfeiting. The purpose of this document is to help bridge this gap.
Disclaimer:
Copyright 2009 by (ETH Zurich, SAP) All rights reserved. The information in this document is proprietary to these BRIDGE consortium members This document contains preliminary information and is not subject to any license agreement or any other agreement as between with respect to the above referenced consortium members. This document contains only intended strategies, developments, and/or functionalities and is not intended to be binding on any of the above referenced consortium members (either jointly or severally) with respect to any particular course of business, product strategy, and/or development of the above referenced consortium members. To the maximum extent allowed under applicable law, the above referenced consortium members assume no responsibility for errors or omissions in this document. The above referenced consortium members do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, or non-infringement. No licence to any underlying IPR is granted or to be implied from any use or reliance on the information contained within or accessed through this document. The above referenced consortium members shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intentional or gross negligence. Because some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. The statutory liability for personal injury and defective products is not affected. The above referenced consortium members have no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Executive Summary This document presents application guidelines and implementation roadmap for the technical
anti-counterfeiting measures developed in BRIDGE WP5. While various RFID
implementation guidelines and checklists have been published, they do not cover the use of
EPC/RFID in anti-counterfeiting. The purpose of this document is to help bridge this gap.
The practical level of protection that a technical anti-counterfeiting system provides to a
supply chain depends on two aspects: on detecting counterfeit products when they are
checked (“intrinsic security”) and on checking the counterfeit products (“check rate”). The
implementation roadmap presents how a high level of intrinsic security can be achieved with
security measures available, now and in the future, for EPC-tagged products. Achieving a
high check rate is addressed by applying the checks in the right supply chain locations and
by integrating authenticity checks to processes where the products are anyhow identified.
The implementation roadmap presents the available security measures for EPC-tagged
products and provides guidance for selecting and updating security measures for an affected
product. The roadmap starts from the basic measure which is reading the EPC number and
verifying from a white list that such a product exists. The role of the security measures is to
secure this scheme from adversaries. Three dimensions of security are considered: 1)
prevention of tag cloning, 2) detection cloned tags, and 3) tag-product integrity.
In general, there are eight possible supply chain locations (“usage scenarios”) for authenticity
checks. These are analyzed in the report and they include: 1) distribution, 2) customs, 3)
incoming goods at retail, 4) goods on retail shelves, 5) point of sales, 6) consumer / end-
user, 7) after sales services and 8) reverse logistics. These cases are collected from existing
usage scenarios and they address different dimensions of the problem. In particular, only
checks in customs and checks of goods on retail shelves target the illicit supply chain. It is
also shown which security measures are conceptually feasible in these locations.
In addition to providing guidelines for the selection of security measures and check locations,
an anti-counterfeiting project life-cycle model is presented. It serves companies affected by
counterfeiting as a manual for deploying RFID and track-and-trace based anti-counterfeiting
solutions and includes detailed description of four project phases: 1) initiation, 2) planning, 3)
closing, and 4) operation and maintenance. Last, this life-cycle model is applied to an
anonymized real-world company Akron to illustrate its application with tangible examples.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Table of Contents Executive Summary ............................................................................................................. 3 Table of Contents ................................................................................................................. 4 Table of Figures .................................................................................................................... 6 Table of Tables ..................................................................................................................... 7 1 Introduction .................................................................................................................... 8
1.1 How Security Works ............................................................................................... 8 1.2 Organization of this Report ...................................................................................10
2 Implementation Roadmap ............................................................................................ 12 2.1 Basic Measure........................................................................................................13 2.2 Towards Strong Prevention of Tag Cloning.........................................................15 2.3 Towards Reliable Detection of Cloned Tags ........................................................17 2.4 Towards Strong Tag-Product Integrity .................................................................20
3 Supply Chain Locations for Product Authentication ................................................. 23 3.1 Different supply chain locations for product authentication ..............................23 3.2 Feasibility of different security measures ............................................................29
4 Anti-Counterfeiting Project Life Cycle ........................................................................ 31 4.1 Selection of a Project Life Cycle Model ................................................................31 4.2 Initiation phase ......................................................................................................32
44..22..11 Purpose of the Initiation phase ........................................................................32 44..22..22 Problem Analysis .............................................................................................32 44..22..33 Project Team ...................................................................................................34 44..22..44 Definition of Project Scope ..............................................................................36 44..22..55 Feasibility Study ..............................................................................................36 44..22..66 Cost-benefit analysis .......................................................................................38
4.3 Planning phase ......................................................................................................41 44..33..11 Purpose of the Planning Phase .......................................................................41 44..33..22 Organizational and Process Changes .............................................................41 44..33..33 Site Survey ......................................................................................................42 44..33..44 Selection of Hardware and Software ...............................................................43 44..33..55 Stakeholder Analysis .......................................................................................43
4.4 Implementation phase ...........................................................................................45 44..44..11 Purpose of the Implementation Phase .............................................................45 44..44..22 Pilot Study .......................................................................................................46 44..44..33 Administrative and Organizational Requirements and Changes ......................46 44..44..44 Technical Requirements and Changes ............................................................47
4.5 Closing phase ........................................................................................................47 4.6 Operation and Maintenance ..................................................................................47
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
5 Example Application .................................................................................................... 50 5.1 Introduction ............................................................................................................50 5.2 Akron Company Profile .........................................................................................50 5.3 Application .............................................................................................................51
55..33..11 Initiation phase ................................................................................................51 55..33..22 Planning phase ................................................................................................53 55..33..33 Implementation phase .....................................................................................55 55..33..44 Closing phase ..................................................................................................56 55..33..55 Operation and Maintenance ............................................................................56
References .......................................................................................................................... 57 Appendix A: Hardware calculations .................................................................................. 60 Appendix B: Akron’s Stakeholder map............................................................................. 61
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Table of Figures Figure 1. The overall process of securing a supply chain from counterfeit products .............. 9
Figure 2. Direct effect of security ........................................................................................... 9
Figure 3. Indirect effect of security ........................................................................................10
Figure 4. Organization of this deliverable. .............................................................................11
Figure 5. Roadmap towards secure authentication of EPC-tagged products ........................12
Figure 6. Protocol of the basic measure (white list) ..............................................................14
Figure 7. Authentication based on ACCESS passwords .......................................................15
Figure 8. Authentication based on unique TID numbers .......................................................16
Figure 9. Authentication based on cryptographic tags / PUF ................................................17
Figure 10. Authentication based on track and trace checks ..................................................19
Figure 11. Authentication based on synchronized secrets protocol ......................................19
Figure 12. Example of a commercial security seal (www.tesa.com). .....................................20
Figure 13. Physical tag integration provides different possibilities depending on the product [34] .......................................................................................................................................21
Figure 14. Authentication based on object-specific features .................................................22
Figure 15. Possible supply chain locations for product authentication ..................................23
Figure 16: Project Life Cycle .................................................................................................31
Figure 17: Example for an RFID project team [6] ..................................................................34
Figure 18: Cost benefit model of investment in security ........................................................40
Figure 19: Exemplary RFID enabled Business Applications .................................................41
Figure 20: Site Survey Process [17] .....................................................................................42
Figure 21: Stakeholder groups [2] ........................................................................................44
Figure 22: Exemplary Stakeholder Matrix .............................................................................45
Figure 23: Akron's Supply Chain Network ............................................................................50
Figure 24: Akron's project team ............................................................................................52
Figure 25: Process manger and rule designer ......................................................................53
Figure 26: Factory layout ......................................................................................................54
Figure 27: Supplier matrix ....................................................................................................55
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Table of Tables Table 1. Threat levels and needed countermeasures ...........................................................12
Table 2. Prerequisite for product authentication: the basic measure .....................................15
Table 3. Summary of preventive security measures on EPC tags ........................................17
Table 4. Summary of detective security measures ...............................................................20
Table 5. Summary of security measures for tag-product integrity .........................................22
Table 6. Conceptual feasibility of RFID-based product authentication measures in different supply chain locations (see Section 2 and BRIDGE D5.4 for technical details). ....................30
Table 7: Decision making tool for evaluating the overall risk of counterfeiting .......................33
Table 8: Required hardware and software ............................................................................43
Table 9: Exemplary Table of Stakeholders ...........................................................................44
Table 10: Calculation of hardware expenses ........................................................................60
Table 11: Akron's stakeholder map ......................................................................................61
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
1 Introduction Brand owners of various kinds of physical goods have an increasing need to protect their
supply chains against product counterfeiting. To support brand owners across industries,
BRIDGE WP5 has investigated and developed EPC/RFID-based countermeasures to
counter counterfeit trade. Based on this work, this document presents application guidelines
and an implementation roadmap for EPC/RFID based anti-counterfeiting measures.
These application guidelines cover deployment and usage of an anti-counterfeiting system
based on EPC technology. More precisely, the guidelines cover steering an anti-
counterfeiting system deployment project and selecting an effective and efficient way to use
the authenticity checks to counter counterfeit trade. While various general RFID
implementation guidelines and checklists are published by practitioners1,2
Different products need different amounts of protection. While simple verification of EPC
numbers might be secure enough for some inexpensive consumer goods, for instance,
authentication of luxury goods that are brought to after-sales service might require much
more security. To answer the varying needs of different products, EPC technology provides a
rich platform for different security measures. To assist brand owners in choosing right
security measures, the implementation roadmap presents the way from identification to
highly secure authentication of EPC-tagged products. This roadmap presents the possible
security measures and their requirements to guarantee secure authentication of EPC-tagged
products in a long term.
, these do not cover
the use of RFID in anti-counterfeiting. Therefore the major contribution of this document is to
provide the anti-counterfeiting-specific knowledge to the general guidelines.
The material benefits of a technical anti-counterfeiting system are hard to evaluate and
present in one dimension, with only one criterion, but overall they can be characterized by
security. Therefore the provided application guidelines are structured around concepts of
security.
1.1 How Security Works This subsection presents the conceptual framework of security in anti-counterfeiting that
structures the provided application guidelines.
In general terms, security refers to protecting assets against certain threats and it is provided
by a process of prevention, detection and response [36]. The overall process of securing a
supply chain against counterfeit products presents the different preventive, detective and
responsive countermeasures that companies can implement. Figure 1 illustrates this process
by showing what the counterfeiter attempts to do and what the affected company or 1 http://www.rfid-in-action.eu/public/results/guidelines/rfid-implementation-checklist 2 http://epsfiles.intermec.com/eps_files/eps_brochure/RFIDChecklist_brochure_web.pdf
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
companies can do to counter the counterfeiting. In particular, the illustration shows that
product authentication is only one element in this overall process of securing the supply
chain against counterfeits – but it is a particularly important one.
1. Obtain counterfeit products 2. Obtain RFID tags with valid, copied serial numbers
Detect§ Private
investigations
Prevent§ Do not disclose
blueprints§ Audit
manufacturers
Respond§ Confiscate illicit
products§ Prosecute
infringers§ End business
relationships
Detect§ Monitor
clandestine scanning
§ Detect use of copied IDs
Prevent§ Use random
IDs§ Upkeep list of
valid IDs§ Secure data
base of IDs§ Waste mngt.
Respond§ Discard copied
IDs
3. Sell counterfeit products to the licit supply chain
Detect§ Authenticate
products
Prevent§ Secure
legitimate inputs
Respond§ Confiscate illicit
products§ Prosecute
infringers§ End business
relationships§ Strict liabilities
Counterfeiter (illicit actors)
Brand owner (licit actors) Figure 1. The overall process of securing a supply chain from counterfeit products
The security provided by a technical product authentication system has two major effects on
the protected supply chain. First, the direct effect of security is that counterfeit products in
the secured channel are detected. This is illustrated in Figure 2. Detection of counterfeit
products depends on two factors: on verification of counterfeit products (check rate) and on
detecting counterfeit products that are verified (intrinsic level of security of the security
measure). The former is provided by the way the technology is used and the latter by the
technology itself. In other words, the achieved level of security in practice depends on the
security measure and how it is used. This is a simple finding but it is very helpful in
organizing the application guidelines: On the one hand the goal is to maximize the probability
that a counterfeit is verified, and on the other hand the goal is to maximize the probability that
a counterfeit is detected when checked.
Counterfeits are detected
(direct security)
Counterfeits are verified
(check rate)
Counterfeits are detected when
verified (intrinsic security)
Figure 2. Direct effect of security
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
When counterfeit products are detected in a supply chain with a sufficient success rate, the
expected profit of selling counterfeit products to the protected supply chain decrease to zero
and below. Thus the second, indirect effect of security is that injecting counterfeit products
to the licit supply chain no longer pays off for the illicit actors. Since counterfeiters are
primary financially motivated, we can assume that decreasing the expected profits has a
deterrent effect on counterfeiters. The technical factors that provide the deterrent effect of
security are illustrated in Figure 3. It is important to note in practice deterrence is not
provided the absolute magnitudes of prevention, detection and response, but how
counterfeiters perceive and value them. For instance, a convincing sticker of a surveillance
system alone can deter a burglar from breaking into a house if the burglar perceives that the
risk of alarm is too high, without the need of an actual surveillance system.
Punishment (response)
Detection rate (detection)
Deterrence(indirect security)
Detection rate (detection)
Deterrence(indirect security)
Cost to break (prevention)
Figure 3. Indirect effect of security
All of counterfeit products do not need to be detected in order to make injecting counterfeit
products to a licit supply chain unprofitable. This is due to two factors. First, also
counterfeiters have costs that need to be covered before they can break even, for instance
from production and logistics [37]. Second, the risk of getting caught and being punished –
though it may be small – needs to be offset by somewhat high returns; otherwise taking the
risk does not pay off in the long term. However, it must be noted that deterrence only means
that injecting counterfeits to the protected supply chain is not financially interesting in the
long term under certain assumptions, but it does not guarantee or prevent that it will not
happen.
1.2 Organization of this Report This report is organized as follows. First, section 2 presents an implementation roadmap
towards strong authentication of EPC-tagged products. Then, section 3 describes and
analyzes eight different supply chain locations for the authenticity checks and presents the
technical feasibility of different security measures in these locations. And last, section 4
provides an anti-counterfeiting project-life cycle model that is a manual to help affected
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
companies during different phases of the implementation project, and this life-cycle model is
illustrated with an example in section 5.
Section 1: Introduction
Content: Introduction to the deliverable, conceptual framework of security in anti-counterfeiting.
Findings: Supply chain is protected through high check rate and intrinsic security of the check.
Section 2: Implementation Roadmap
Content: Implementation roadmap towards secure authentication of EPC-tagged products.
Findings: EPC/RFID provides a platform of security features, suitable security features depend on the product.
Section 3: Supply Chain Locations for Product Authentication
Content: Analysis of possible supply locations for product authentication, feasibility of different techniques therein.
Findings: There are eight usage scenarios for product authentication in licit supply chains.
Section 4: Anti-Counterfeiting Project Life Cycle
Content: Description and analysis of issues during different phases of an anti-counterfeiting project.
Findings: Guidelines for initiation phase, planning phase, implementation phase, and closing phase.
Section 5: Example Application
Content: Example application of the rules-based approach to an anonymized real-world based company.
Findings: Illustration of the project life cycle model.
Figure 4. Organization of this deliverable.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
2 Implementation Roadmap This section describes an implantation roadmap towards secure authentication of EPC-
tagged products. The roadmap includes three different dimensions of security, namely tag
cloning resistance, detection of cloned tags and tag-product integrity, and presents the
different security measures that are needed to move towards higher level of security. The
goal of choosing the security measures is to enable secure product authentication.
Table 1. Threat levels and needed countermeasures
Threat Countermeasure
I Counterfeit product without an RFID tag Basic measure
II Counterfeit product with an RFID tag with an invalid EPC Basic measure
III Counterfeit product with an RFID tag with a valid EPC Tag cloning resistance / detection of cloned tags
IV Counterfeit product with a genuine RFID tag Tag-product integrity
The implementation roadmap addresses different threat levels of counterfeit products
injected to the protected supply chain. We define these threat levels as follows: The first level
threat is a counterfeit product without an RFID tag. The second level threat is a counterfeit
product with an RFID tag with an invalid EPC number. The third level threat is a counterfeit
product with an RFID tag with a copied, valid, EPC number, and the fourth level threat is a
counterfeit product with a genuine RFID tag that is removed and reapplied from a genuine
product. The threat levels and needed countermeasures are summarized in Table 1.
Low levelof security
Tag-productintegrity
Detection ofcloned tags
Tag cloningresistance
weak
strong
strong
strong
ACCESSpasswords
Unique TIDnumbers
Cryptotags
Mark invalidEPC numbers
T&T checks
Synchronizedsecrets
Tag seals
Physical tag integration
Logical tag integration
Basicmeasure
High level of security
Figure 5. Roadmap towards secure authentication of EPC-tagged products
Reading a product’s EPC number and verifying that this number has been issued by the
brand owner (“white list”) represents the first level of a technical countermeasure (cf.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
subsection 2.1). When the need for security increases, additional security measures are
needed against tag cloning attacks and tag-product integrity violations, i.e. removal and
reapplication of valid tags. These security measures are illustrated in Figure 5. For products
where the risk of counterfeiting is very low, such as some non-branded fast moving
consumer goods, the basic measure provides a good starting point. For products where the
risk of counterfeiting is higher, such as medicines and airplane spare parts, the need for
security is higher and the first technical countermeasure should already include some more
advanced security measures, such as track and trace checks or cryptographic tags.
In general, the need for security increases over time; counterfeiters can learn about the
countermeasures and implement ways to overcome or bypass them. When a need for an
increased level of protection is recognized, for example by discovering that counterfeiters
copy the EPC numbers of genuine products or that tags with fully programmable TID
memory have become commercially available, the brand-owner needs to move towards
stronger security measures. Since additional security measures have always costs involved,
only the necessary security measures should be implemented. This paradigm is called “good
enough security” [23] and it argues that practically and commercially successful security
systems have a level of security that is modest in the academic sense, but good enough to
work in practice.
2.1 Basic Measure This subsection formalizes the basic measure that is not yet secure authentication of
products, but the foundation for the secure authentication. We define authentication as
verification of the claimed identity and therefore identification is the prerequisite for
authentication. A product claims to have a certain identity through the EPC number written
on its RFID tag. The basic measure is to read the EPC number and verify that it is valid, i.e.
one that can be found on a genuine product. This kind of check is analogous to having a
doorman in front of a club to verify that only people who have their name on the list get in;
thus only the people on the list are authorized to enter.
Identification = A claim of identity
Authentication = Identification + Verification of the claimed identity
Valid EPC number = An EPC number that can be found on a genuine product
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Back-end Reader EPC Tag
read EPC(2)
inventory(1)
establish secure connection(0)
EPC, <location>, <time>(4)
EPC(3)
result (y,n)(6)
Phase I: Initialization
Phase II: Identification
Phase III: Verificationif EPC is valid:result = y;
else: result = n
(5)
Figure 6. Protocol of the basic measure (white list)
The basic measure has three phases: 1) Initialization phase, where the reader establishes a
secure connection with the back-end system (mutual authentication), 2) Identification phase,
where the reader reads the tag’s EPC, and 3) Verification phase where the reader asks the
back-end whether the EPC is valid. The protocol of the basic measure is presented in Figure
6. This measure corresponds to the so called “white list” approach [24]. In stronger security
measures the verification phase is replaced by a more sophisticated way to ensure that the
product is not a counterfeit. The protocol is illustrated based on the following assumptions:
• The product authentication solution is an online solution and the credentials are
stored only in the back-end,
• Product authentication (including track & trace data analysis) is triggered by
identification,
• The protocol continues until the authenticity result is known by the reader (exception:
synchronized secrets), and
• Possible “early endings” of the protocols are not marked, i.e. cases where the
product’s counterfeit origins are revealed before the final verification (e.g. back-end
does have the TID stored for a certain EPC).
The basic measure identifies a product and checks if the identity is valid. The requirements
of this basic measure are listed in Table 2. This measure does not provide any protection
against cloning nor removal and reapplying of tags so, but it filters out untagged counterfeits
and counterfeits tagged with invalid IDs. In order to pass this check, a counterfeit product
simply needs to have a cloned RFID tag or an RFID tag removed from a genuine product.
The following three subsections describe how to address these threats.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Table 2. Prerequisite for product authentication: the basic measure
Security Measure Tag Requirements Back-End Requirements Other Requirements
Basic Measure (white list) EPC Verification of EPC Reader-to-back-end authentication
2.2 Towards Strong Prevention of Tag Cloning This subsection presents the existing and envisioned preventive security measures against
tag cloning attacks. They should be used when the basic measure is not considered secure
enough.
Two existing PIN-based commands of Gen-2 tags, KILL and ACCESS, can be used for ad-
hoc techniques for authenticating [25]. The KILL protocol bases on the fact that even though
the EPC of a tag can be maliciously scanned, the KILL-password remains secret. Cloned
tags can be found by testing, but without killing the tag due to low reader power, if a tag’s
KILL password matches the one stored in a database. Implementation of this technique is
feasible in deployed tags, but presents some delicate technical challenges [26]. We therefore
focus on the ACCESS password that can be tested on a tag in a similar way but without the
risk of killing the tag. This protocol is presented in Figure 7. In order to fool this check, the
adversary needs to obtain the ACCESS password of the genuine tag for example by
eavesdropping an authorized reader device that authenticates the targeted tag, or perform a
brute force attack against the 32-bit password (i.e. go through the possible passwords and
query the tag by repeating step 7 in the protocol). Overall, this security measure provides
some protection against tag cloning but it is somewhat clumsy and is vulnerable against
decisive attacks.
Back-end Reader EPC Tag
result (y,n)(8)
test the ACCESS password(7)
EPC, <location>, <time>(4)
ACCESS password(6)
Phase III: Verification
Find ACCESS password
for this EPC
(5)
Figure 7. Authentication based on ACCESS passwords
In addition to the PIN commends, also the unique factory programmed read-only
Transponder ID (TID) numbers can increase the cloning resistance of EPC Class-1 Gen-2.
The reasoning behind the TID scheme is that a tag is authentic if it has a correct EPC & TID
pair, illustrated in Figure 8. TID is not cryptographically secure and it only represents a
practical hurdle against tag cloning. A detailed evaluation of the level of protection that the
TID scheme provides in practice is presented in BRIDGE D5.5. Though it does not seem to
be possible to buy Gen-2 tags with programmable TID numbers today, working prototypes of
semi-passive tags (e.g. in BRIDGE WP4) demonstrate that a tag impersonation device can
be built from less than ten euros worth of standard components to fool TID checks. As a
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
result, end-users should only make use of serialized TID numbers in applications where the
tagged items can be physically inspected as a temporal and complementary solution.
EPC, TID, <location>, <time>(6)
result (y,n)(8)
read TID(4)
TID(5)
Phase III: Verificationif EPC and TID
match: result = y; else: result = n
(7)
Figure 8. Authentication based on unique TID numbers
While cryptographic RFID tags are currently widely available in the HF band (e.g. Mifare
Desfire3
Another way to implement a secret key on the RFID transponder is to use a Physical
Unclonable Function (PUF). The PUF is a one way function that allows for the calculation of
unique responses using only some hundreds of logical gates without any costly
cryptographic primitives [33]. In order to make the use of eavesdropped responses
infeasible, several challenge-response pairs have to be stored in a database. PUF has been
successfully implemented on HF (13.56 MHz) tags [32] and it is currently becoming
commercially available.
), today there are no cryptographic tags commercially available in the UHF band.
However, the need for security products in the UHF market is emerging and the first
implementations exist [27, 28]. Tag-to-reader authentication can be based on cryptographic
primitives like bitwise operations and pseudo-random numbers [29], hash-functions [30],
symmetric-key encryption [27] or asymmetric encryption [31]. Asymmetric encryption is
currently very challenging on RFID tags but due to advances in Elliptic Curve Cryptography
(ECC) it is becoming feasible. These approaches cannot be employed without hardware
support from the chips and since the cryptographic calculations require additional power they
might decrease the tag performance in terms of reading time and range. Cryptographic UHF
tags are expected to become commercially available in the near future, provided that there is
a sufficient market pull for them.
The tag- high-level to-reader authentication protocol is similar for cryptographic tags and for
PUFs. This protocol is illustrated in Figure 9.
3 http://mifare.net/products/mifare_desfire.asp
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Back-end Reader EPC TagEPC, <location>, <time>
(4)
challenge(5)
challenge(6)
response(7)
response(8)
result (y,n)(10)
Phase III: Verification
if response is correct: result = y;
else: result = n
(9)
Figure 9. Authentication based on cryptographic tags / PUF
Different preventive security measures and their requirements are illustrated in Table 3.
Table 3. Summary of preventive security measures on EPC tags
Security Measure Tag Requirements Back-End Requirements Other Requirements
Access password ACCESS password Password verification (none)
Unique TID number Unique TID number TID verification (none)
Cryptographic tags Cryptographic processor Challenge-response protocol (none)
Physical unclonable function PUF Challenge-response protocol (none)
2.3 Towards Reliable Detection of Cloned Tags Tag cloning attacks can also be addressed by reliable detection of cloned tags. Different
detection-based security measures exist and they vary on their complexity and on the cases
when they can detect the cloned tags. They should be used when the basic measure is not
considered secure enough. A theoretically optimal detection-based measure would trigger an
alarm for 100% of cloned tags as soon as they enter the secured channel (detection rate)
and to 0% of genuine tags (false-alarm rate). In practice, however, some uncertainty is
always present in the system and there is a trade off between the detection rate and the
false-alarm rate. This means that the detection-based security measure triggers alarms for
suspected cloned tags and a manual verification is needed to ascertain the origins of the
product (based on other security features or the product’s natural features).
The aforementioned basic measure represents a white list of valid EPC numbers (“blacklist”).
The first detection-based measure is to mark those EPC numbers on this white list that are
known to be invalid, for example because the product has been sold, consumed, or delivered
to the end-user. One variant of this measure is allowing N first basic verifications to pass the
check, e.g. because it can be expected that the product is verified N times in the licit supply
chain, and after that marking the corresponding EPC as invalid. This variant is suitable for
static supply chains (N is constant) where the risk of counterfeiting is high. Overall, marking
invalid EPC numbers is a simple but effective measure since it limits the time span when
counterfeiters can use a copied EPC number to the time point when the EPC number
becomes invalid. The high-level protocol of this measure is same to that of the basic
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
measure (Figure 6). This measure can be used with a very small marginal cost if the trace
data already tells which EPC numbers are invalid.
The track and trace data can also be used to detect if a genuine tag and a cloned tag travel
simultaneously inside the supply chain. In other words, track and trace checks address
detection of cloned tags before the genuine product is known to have left the RFID system
and the EPC can be marked as invalid. These approaches should be used when the risk of
counterfeiting is high (cloned tags can enter the chain before the genuine tags are marked
invalid) or when marking invalid EPC numbers is not feasible due to lacking data (e.g. it is
not known when all tagged products are sold) or when there are dynamic changes in the
supply chain (the N-approach is not feasible). BRIDGE WP5 has developed two different
approaches for track and trace based checks, so called statistical approaches based on
machine-learning techniques and so called rules-based approach based on configurable
rules (see BRIDGE D5.4 for prototype description and D5.5 for thorough evaluation of these
approaches). Guidelines for choosing the right approach are provided below. Overall, cloned
tags can be detected in a reliable way from track and trace data that contains a chain of
shipped and received events, but some false alarms or missed events might be possible in
special cases such as missing reads. The advantage of track and trace checks is that no
additional interaction is needed between the reader and the tag.
• Statistical approach: Statistical track and trace analysis automates most of the
tasks needed to detect cloned tags from the track and trace data. The user’s main
task in statistical approaches is selecting a representative test data set (normal
traces) that captures the mechanisms of the underlying supply chain. The more
complex the supply chain and the more read errors there are, the more test data is
needed. In particular, the training data must not contain events generated by cloned
tags, which currently must be manually assured. In case there are changes in the
underlying supply chain, the system needs to be trained with a new set of training
data. Since statistical approaches can automatically detect majority of missing read
events (approximately 80% in a simulator study, cf. BRIDGE D5.5), they are also
suitable in cases where read errors can be a problem.
• Rules-based approach: The main advantage of the rule-based anti-counterfeiting
approach is the possibility of leveraging existing industry- and company-specific anti-
counterfeiting knowledge by defining anti-counterfeiting rules. It is suitable in cases
where the company wants to protect its specific supply chain by defining conditions
that, once broken, give indication of counterfeiting activities. The included decision
support system supports the user in limiting false positive cases, since read errors or
missing reads might make specific rules trigger an alert (see also BRIDGE D5.5). The
rule-based anti-counterfeiting framework empowers the user with the ability to define
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
and try out different rules and thus it resembles a data mining tool for track and trace
data. Moreover, the alert information can be statistically analyzed in order to detect
supply-chain specific patterns of counterfeiting injections, for example.
EPC, <location>, <time>(4)
result (y,n)(6)
Phase III: Verificationif product passes
the trace check:result = y;
else: result = n
(5)
Back-end Reader EPC Tag
Figure 10. Authentication based on track and trace checks
If the tags have a small amount of rewritable user memory (e.g. 32-bits), it is also possible to
detect when two tags with the same EPC enter the RFID system. This can be done with so
called synchronized secrets method described in BRIDGE D5.4 and D5.5. This method
requires a centralized back-end server that knows which synchronized secret (denoted s in
Figure 11) is written on the tag. If a tag is cloned and the cloned tag is injected to the RFID
system, the back-end will notice an outdated synchronized secret on a tag as soon as both
the genuine tag and the cloned tag are scanned once again. As a result, a manual
verification is needed to ascertain the origins of the two pinpointed products with the same
EPC number. This approach is most suitable in cases where it is known when the products
leave the RFID system (similar to marking invalid EPC numbers), otherwise a cloned tag can
“hijack” the trace of a genuine tag that leaves the system and the system does not detect
this. A high scan rate provides a high level of security (reliable and early detection of tag
cloning attacks). If the scan rate is low, for example due to a high dwell time in a warehouse,
there might be a long delay until the alarm is triggered. Therefore the synchronized secrets
approach is not well suitable in cases where this delay is probable and not acceptable, such
as for life-saving drugs that are stored for long times in warehouses where the tags can be
copied.
read si
si
EPC, si
result, si+1
si+1
acknowledgement
acknowledgement
acknowledgement
if si is correct:result = y;
else: result = fsi+1 = RND32
(5)
(4)
(6)(7)
(8)
(9)(10)
(12)
(13)
(11)
Back-end Reader EPC Tag
Phase III: Verification
replacesi with si+1
Figure 11. Authentication based on synchronized secrets protocol
The requirements of the different detective security measures are summarized in Table 4.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Table 4. Summary of detective security measures
Security Measure Tag Requirements Back-End Requirements Other Requirements
Mark invalid EPC numbers (blacklist) (none) Verification of EPC POS data (or similar)
T&T data analysis (none) SSCM / Rules T&T data
Synchronized secrets 32-bit user memory Synchronized secrets protocol POS data (or similar)
2.4 Towards Strong Tag-Product Integrity Tag-product integrity counters tag removal and reapplying attacks. Guaranteeing tag-product
integrity means guaranteeing that a tag is attached to the right product, and not to a
counterfeit one. The respective attack is removal of a genuine tag from a genuine product or
its packaging and reapplication of this tag onto a counterfeit product. This attack can be easy
to execute if a tagged genuine product is available and tag-product integrity has not been
addressed. From the point of view of the adversary, however, this attack is somewhat
burdensome since it requires manual work, access to genuine tags, and needs to be
repeated for each counterfeit article. Therefore it does not seem viable for large numbers of
products and in the industrial scale that characterizes today’s problem of product
counterfeiting. Rather, tag removal and reapplying is likely to a problem with higher-price
products where already small quantities can be profitable for a counterfeiter. In particular, if
tag copying attack is addressed with very strong preventive measures that the counterfeiters
are aware of, such as cryptographic tags, attack against tag-product integrity can be the
cheapest and most attractive way for a counterfeiter to fool an authenticity check.
Sealing an RFID tag to a product’s packaging, or event to the product itself, is a
straightforward way to improve tag-product integrity. The idea is to place the seal over the
RFID label to reveal all attempts to remove or reapply a tag. A commercial security seal is
illustrated in Figure 12. When allowed by the product’s form factor and esthetic requirements,
an unbroken physical seal thus acts as a proof that the RFID label has been attached by the
brand owner. In addition, tag removal inside a secured channel is revealed by a broken seal,
which makes it possible to mark stolen tag ID numbers in a database. Tag sealing is
especially well suited for case and palled level tags in channels where the risk of tampering
is elevated.
Figure 12. Example of a commercial security seal (www.tesa.com).
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
In the case of item level tagging, physical integration of tags to products provides various
possibilities for guaranteeing tag-product integrity depending on the characteristics of the
product itself. Figure 13 illustrates tag integration to a leather good and to a metal watch. In
this example, the leather good tag is not securely integrated since it can be easily detected
and removed, where as the watch tag is secure integrated (i.e. it is hard for the adversary to
perform a removal and reapplying attack owing to the specific engineering challenges of tag
integration in this case). Regarding security, the goals of physical tag integration are to make
the tag 1) hard to find by the counterfeiter, 2) hard to remove without breaking the tag and/or
the product, and 3) hard to reapply to a counterfeit product in a seamless way. More
information about secure tag integration can be found from EU-SToP D4.3 [33].
Figure 13. Physical tag integration provides different possibilities depending on the product [34]
To address tag removal and reapplying attack (as well as tag cloning) with low-cost tags,
there exists a logical way to bind an RFID transponder to a particular product [35]. This
security measure is based on writing on the tag memory a digital signature that combines the
tag identifier and some product specific features of the genuine product. These features can
be physical or chemical properties that identify the product and that can be verified, such as
very precise weight. Figure 14 illustrates this approach. The chosen feature is measured as a
part of the check and if the feature used in the tag’s signature does not match the measured
feature, the transponder-product pair is not original. The proposed authentication needs a
public key stored on an online database. Also an offline authentication is proposed by storing
the public key on the tag, though this decreases the level of security. In practice, finding a
suitable feature might be very challenging – and if the tag has one that can be reliably
measured, then the product authentication can be done directly based on this feature without
using RFID. Another disadvantage of this approach is that each unit has to be physically
verified as a part of authentication.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
EPC, featureValue, <location>, <time>(4)
result (y,n)(6)
Phase III: Verificationif featureValue is
correct: result = y; else: result = n
(5)
Back-end Reader EPC Tag
measure the featureValue of the tagged object (outside the RFID system)
Figure 14. Authentication based on object-specific features
The requirements of tag-product integrity measures are summarized in Table 5.
Table 5. Summary of security measures for tag-product integrity
Security Measure Tag Requirements Back-End Requirements Other Requirements
Seal the tag (none) (none) (none)
Physical tag integration (none) (none) (none)
Logical tag integration (none) Verification of feature value Measurement of feature value
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
3 Supply Chain Locations for Product Authentication This section presents guidelines for selecting right supply chain locations for product
authentication. The goal in choosing these locations is to maximize the chances of
counterfeit products that enter the supply chain being verified. Selecting right supply chain
locations is crucial since it contributes directly to the achieved level of protection in practice
(cf. Figure 2, page 9).
A list of possible supply chain locations for product authentication is presented below. These
locations are illustrated on a generic supply chain map in Figure 15. (According to the object
event vocabulary of the EPCIS 1.0.1 specification they represent discrete business locations
within the supply chain, but throughout this document we will refer to them simply as supply
chain locations). The resulting list is achieved by gathering and clustering different usage
scenarios of technical anti-counterfeiting measures and it is meant for decision makers for
clarifying as well as identifying the need of a technical solution. When implementing an RFID-
based anti-counterfeiting system, the supply chain locations where products are to be
authenticated need to be identified before the technical can be specified. This is due to the
fact that all security measures cannot be deployed in all usage scenarios, mostly owing to
the limited coverage of the assumed EPC infrastructure.
Distribution
Retailer
Manufacturer
Retailer
Manufacturer
Consumer /End-User
Consumer /End-User
Licit Supply Chain Illicit Supply Chain
Distribution
Legend
Actors with lawful intent
Actors with illicit intent
Flow of goods
Potential entry of counterfeits
1
3
4
5
6
4’
Customs2
Customs2’
Use case
1
2
3
4
5
6
7
Inside distribution
Customs
Incoming goods
Goods on shelf
Point of sales
Consumer / End-user
After-sales services
7
8
8 Reverse logistics
Figure 15. Possible supply chain locations for product authentication
3.1 Different supply chain locations for product authentication This subsection lists the different supply chain locations where products can be used for
product authentication and discusses the pros and cons of the different usage scenarios.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
1. Inside distribution: Counterfeit products can enter the licit supply chain in the
distribution level between manufacturing and retail. Counterfeits can appear either as
complete batches of faked goods or co-mingled with genuine goods. Authenticity
checks in the distribution level, e.g. in distribution centres, can help detecting these
counterfeits. Since logistic units (pallets, boxes, single goods) are identified using
Auto-ID inside the distribution level, the existing business processes provide an
opportunity to integrate authentication to processes where the products are currently
identified. In addition, since the products are handled usually in known lot sizes or
even one by one (e.g. luxury goods), the verified products do not need to be
separately counted to detect counterfeits that are not tagged. This is a major
advantage since this additional effort is thus not necessary. Another important
efficiency factor is the relatively small number of distributors, compared to the number
of retailers for instance; when all genuine products flow through a relatively small
amount of supply chain locations, screening the whole population can be done with a
much smaller number of check locations. Furthermore, authenticity checks inside
distribution can detect the counterfeit products as soon as they enter the licit supply
chain, close to the illicit actors. This increases the chances of detecting and
successfully prosecuting the infringers. Regarding effectiveness, however, the
distribution level is not the optimal location for authenticity checks since counterfeit
products can enter the supply chain also after this level. Also, when the brand owner
or manufacturer does not have its own distributors but it is done by other companies
(i.e. external supply chain), active collaboration with the distributors is required.
Getting the required contribution from external distributors can be very challenging
since the distributor does not get any clear business benefits from the authenticity
checks. This can be especially problematic for small brand owners. As a partial
solution, past management research proposes that manufacturers can engender
cooperativeness of distributors by nurturing satisfaction and dependence in
manufacturer-dealer relationships [20]. In particular, senior management’s
commitment to supply chain security is needed in order to gain distributors’
assistance in fighting counterfeit trade [20].
2. Customs: Customs is responsible of most counterfeit seizures in the world and it is a
key stakeholder in any anti-counterfeiting strategy. Anti-counterfeiting and verification
of products is one of the key tasks of national customs organizations, though it is
usually not as important as collection of taxes and duties, national security, and
enforcement of free trade. Furthermore, customs is considered the best locations to
interfere also the illicit supply chain (Figure 15). This means that supporting customs
in anti-counterfeiting not only protects the licit supply chain from counterfeit products,
but it also affects the illicit supply chain having a broader effect on counterfeiters’
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
business. Due to the complexity and size of the task, however, supporting customs
with a technical anti-counterfeiting solution is not straight forward. It is not feasible for
customs to adopt multiple devices to authenticate different kinds of products. Rather,
a standard solution that can handle different kinds of products is strongly preferred.
Such a standard, platform solution does not exist today and currently hundreds of
different product authentication solutions are being used, but integration of
authentication to Auto-ID technologies such as EPC/RFID has the potential to change
this. Since authentication of goods in customs is not coupled with processes where
the goods are identified but they are sporadic and done in an ad hoc mode to
suspicious samples, a system that is able to authenticate one good at a time is
sufficient. In addition, customs need mobile or handheld RFID readers since
inspections are conducted not only in customs warehouses, but also on highways, in
company’s warehouses etc. Sporadic checks of single samples helps customs
identify counterfeit consignments faster and easier, but they are not the most effective
way to detect small quantities of counterfeits that are co-mingled among genuine
products. Last, a hundred percent confidence level to the result of the check is not
mandatory since customs can hold back the suspicious goods and ask the brand
owner do additional checks since the brand owner has the final responsibility of
showing that seized goods are counterfeits.
3. Incoming goods: Authentication of incoming goods in the retail level is potentially a
very effective way to secure the licit supply chain. In general, retailers are in a critical
position to engage in countermeasures against product counterfeiting [19]. In our
generic supply chain model, the retail level comprises typical consumer good retailers
and other end-points such as pharmacies, hospitals, and small boutiques and
garages. These authenticity checks can be integrated to the process where incoming
goods are scanned in to the inventory before placing them to the back room or shop-
floor. If the incoming goods are subject to verifications in the existing process already,
such as expiry data verifications and order completeness verifications, the overhead
of integrating an authenticity check to the existing process can potentially be done
with a minimum overhead. A minimum overhead is also a requirement since the
process of scanning in incoming goods can be time-critical. Furthermore, since the lot
sizes of incoming goods are generally known, also detection of untagged counterfeit
products can be automated. In theory, the best and most secure final check point in a
supply chain is just before the goods reach the end-user or consumer (making
injection of fakes impossible after the last check point), but in practice incoming
goods in the retail level can be the last location where all goods can be easily
authenticated. If the integrity of inventory in the retail level can be guaranteed,
however, product authentication at incoming goods also guarantees the authenticity
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
of goods also at the point of sale or point of consumption. A critical factor regarding
the integrity of inventory is addressing internal threats by employees, for example the
possibility of replacing a genuine product by a counterfeit one. A downside with
authenticity checks in the retail level is that the counterfeit products are detected in a
relative late point in the supply chain, which makes tracing the source of counterfeit
goods harder. Another downside is that more check points are needed than in the
upstream locations; supply chains branch as they go downstream and the number of
retailers is typically order of magnitude higher than the number of distribution centers,
for instance. According to management research, the perceived seriousness of the
problem and internal acceptance of responsibility are the most important factors that
influence how willingly channel members assist manufacturers in anti-counterfeiting
[19]. Furthermore, management practices that induce higher satisfaction and
dependence, but lower conflict and control, will enhance a manufacturer’s ability to
gain the help of retailers [20].
4. Goods on shelf: Authenticity checks can secure the retail level also through
verification of goods on shelves, i.e. on the shop-floor. This can be done either with
the consent of the retailer, as an audit by the brand owner, or without the consent of
the retailer, as a mystery shopper. In theory, also normal consumers could perform
these checks if they were empowered with the needed technology and had the
incentive to use it. A prerequisite for these checks is that the verified products are
openly displayed, which restricts application of this scenario mostly to consumer
goods (one way to overcome this restriction, as well as the need of mystery
shoppers, is to do test purchases and authenticate the samples afterwards). Checks
of goods on shelves are sporadic and can be targeted to suspicious or high-risk
targets to increase their effectiveness. It is not likely that these checks can be done
as a part of other processes where the goods are verified or identified, and therefore
they represent additional effort and overhead. But this effort needs to be seriously
considered since, together with checks in customs, verification of goods on shelves is
the only way to interfere with the illicit supply chain (perhaps excluding infiltration of
private investigators among the illicit upstream actors). An RFID-based solution with a
large read range and a bulk reading mode suits this usage scenario especially well
since it enables quick and imperceptible verifications. In order to detect untagged
counterfeit items, however, the number of verified items needs to be counted
manually. In addition, since this check is conducted at a late state of the supply chain,
tracking down the sources of detected counterfeit goods can be hard. The last
downside of this usage scenario is the big number of retail stores that need to be
covered.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
5. Point of sales: Authenticating products at the point of sales or at the point of
consumption (e.g. a drug that is consumed in a hospital) secures the last link of the
licit supply chain. At this step products are already handled one by one and identified
with Auto-ID (e.g. to find out the price, or to verify the expiration date for
pharmaceuticals). These conditions can make the introduction of an additional
authenticity check very lean and minimize the overhead and additional effort of
product authentication. In the same time, introducing systematic authenticity checks
in the point of sales level is very challenging. Foremost, authenticating products in
front of the consumer, patient or end-user interferes with the customer relationship.
For example in the pharmaceutical industry this can cause trust problems between
the doctor or pharmacist and the patient, and in the luxury goods industry it can mean
breaking the romance of the buying experience. Therefore retailers in general do not
want to deal with product counterfeiting issues in front of their customers since it can
generate negative associations for customers who usually have not considered
previously that counterfeit products could appear in the retail level. The dilemma is
that these associations are perceived negative, even though the authenticity checks
are conducted for the customers’s own good. There are also other factors that make
authenticity checks challenging in the point of sales level. They take place in a time-
critical process where additional delays are not welcome and they take place far from
the sources of counterfeits. Last, the vast number of possible point of sales locations
makes diffusion of the technology and process changes burdensome and probably
possible only with standards, mandates and/or regulations.
6. Consumer / End-user: In the long term technology vision also normal consumers
can interact with RFID-tagged smart products. As a result, they can also have the
possibility to authenticate tagged products. Technically this could by possible for
example by solving the interoperability problems between NFC and EPC technologies
[22] but also by using mobile phone cameras to read bar codes on the products to
give an access to the RFID trace data. This would also require a gateway though
which anonymous or authorized consumers could access the product authentication
back-end application. Overcoming these challenges would potentially empower
masses of consumers with the ability to authenticate products in locations where
brand owner cannot access otherwise, including secondary markets (e.g. flea
markets, C2C sales) and new geographic areas. Such community-based
authentication applications have already been proposed for mobile applications [21].
While consumers can refuse buying the counterfeits they detect and inform their
communities about the fakes, they lack the law enforcement lever to launch
responses against the infringers and thus should be supported by the brand owner. In
addition, in some cases consumers buy counterfeits intentionally, which limits this
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
scenario to those product categories where consumers have real incentives not to
buy a fake. The second part of this usage scenario is authentication of products that
are being used by the end-users. A prominent example of this scenario is
authentication of spare parts in the aerospace industry where counterfeiting does not
really affect the licit supply chain through which the genuine spare parts are
delivered, but the network of repair, maintenance and overhaul depots where the
spare parts are used. In this case the authenticity checks can be integrated to
existing processes where the spare parts are already identified with Auto-ID. In
general, missing tracing infrastructure or lack of data sharing limits the use of
detection-based authentication in this usage scenario, so prevention-based measures
might be preferred.
7. After-sales services: In some cases counterfeit goods can enter the licit supply
chain in after sales services when customers return goods that are already bought.
This can be a relevant scenario for example in the luxury goods industry where
products are used during long periods of times and sometimes they need to be
returned for repair, polishing or refurbishment. Even though authentication of
products in after-sales services does not prevent the harm from happening in the first
place – i.e. the consumer from getting a counterfeit product – it enables easy
detection of counterfeits in an early phase of the service. From the process point of
view authentication of these products is relatively easy since these products are
handled one by one and in small quantities, in the premises of the retailer or brand
owner (e.g. a luxury goods boutique). Owing to the interference with customer
relationship discussed in the point of sales scenario above, it might be preferable not
to authenticate these products in front of the customer but in the back room or service
level. This is also a preferable practice in those cases where the customers knowingly
bring counterfeit goods to after-sales services with the hope of getting them replaced
by genuine goods, since a face-to-face conflict with these fraudulent customers is
avoided. From the technical point of view, this usage scenario is made challenging by
the lack of complete trace data and by the fact that the process needs to handle also
non-tagged products, including those product categories that are not tagged as well
as older products that were not yet tagged. In addition, tracing the source of the
counterfeit products detected in this usage scenario can be very hard.
8. Reverse logistics: Similar to the after-sales services scenario, counterfeit products
can enter the licit supply chain also through reverse logistics of products that are
returned to the manufacturer under warranty. This can be a relevant scenario for
example in the This is particularly an issue with electronics, batteries, computer chips
and mechanical components or accessories, where manufacturers are seeing an
increase in counterfeit parts being returned to manufacturers under warranty and
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
claiming replacement. Many manufacturers are therefore having a problem
authenticating these items and, without appropriate technology and processes, have
found that they are forced to replace a fake item with a genuine item. In this case an
authenticity check can be integrated in the service process on the manufacturer’s
side. Compared to checks in the lowest levels of the supply chains, only a very small
number checking locations is needed to secure this link. The downside of this usage
scenario is that it is very far from the source of counterfeits and the benefits are
limited to elimination of losses due to replaced or fixed counterfeit products.
3.2 Feasibility of different security measures Since all RFID-based product authentication methods cannot be applied in a secure way in
all supply chain locations, selection of the wanted usage scenarios has an effect on the
possible security measures. Table 2 presents the conceptual limitations of the considered
product authentication approaches in the listed usage scenarios. Foremost, the detection-
based approaches have limitations or cannot be securely applied after the genuine products
leave the supply chain and are no longer traced.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Table 6. Conceptual feasibility of RFID-based product authentication measures in different supply chain locations (see Section 2 and BRIDGE D5.4 for technical details).
Supply Chain Location Basic Blacklist T&T Sync. Sec. Password, TID, Crypto, PUF
1 Inside distribution OK OK OK OK OK
2 Customs OK OK OK OK OK
3 Incoming goods OK OK OK OK OK
4 Goods on shelf OK OK OK OK OK
5 Point of sales OK OK OK OK OK
6 Consumer / End-user OK
Limited* Limited** No***
OK****
7 After-sales services OK OK
8 Reverse logistics OK OK
* Limited: in addition to copied tags, also the genuine tag will raise an alarm after the ID number is in the blacklist ** Limited: cloned tags cannot be reliably detected once the product is no longer traced *** No: products that have left the distribution channel must be marked in order to avoid identity hijacking **** Password approach can be made available only to trustworthy parties since the verifier learns the secret
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
4 Anti-Counterfeiting Project Life Cycle This section focuses on the development of a generic project life cycle model for the
adoption of RFID-based anti-counterfeiting solutions. It shall serve companies, which are
affected by counterfeiting, as a manual for deploying deploy RFID and track-and-trace based
anti-counterfeiting solutions. This section will not focus on all aspects of project
management, but on RFID- and anti-counterfeiting-specific aspects. Thereby, this deliverable
assumes that the company has not yet implemented RFID, but that it has made first
experiences with the technology by conducting laboratory trials and trainings.
4.1 Selection of a Project Life Cycle Model Numerous approaches towards the project life cycle can be found in literature. For projects of
different sizes and purposes, there exist multiple models to fit to the very different
requirements. In order to create comprehensive application guidelines, this deliverable
focuses on a generic approach rather than on a specific phase model. This generic model is
developed based on de facto project management standards like the Project Management
Body of Knowledge (PMBOK), the IPMA Competences Baseline (ICB) [7], and Projects in
Controlled Environments (PRINCE2) [5]. In concordance with these standards, the following
four generic phases are used for the project life cycle.
Purpose of the Implementation Phase
Pilot Study
Administrative and Organizational Requirements and Changes
Technical Requirements and Changes
Closing of the Project Purpose of the Initiation Phase
Problem Analysis
Project Team
Definition of Project Scope
Feasibility Study
Cost-benefit Analysis
Purpose of the Planning Phase
Organizational and Process Changes
Site Survey
Selection of Hardware and Software
Stakeholder Analysis
Initiation Phase Planning PhaseImplementation Phase
Closing Phase
Figure 16: Project Life Cycle
Companies adopting the prototype can map the activities of these phases to their own model
in order to adapt the application guidelines to their special needs. Furthermore, this
deliverable will have a special focus on the ongoing activities, which include operation,
maintenance, and countermeasures against new counterfeiting methods. These influence
RFID within the four process steps, including the closing, operations and maintenance
phase, which will be described in the following sub-sections.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
4.2 Initiation phase
4.2.1 Purpose of the Initiation phase The initiation phase is the first step in the project life-cycle. The goal of this phase is the
definition and authorization of the project. Thereby, a project team analyses the underlying
problems, the goals, the feasibility, the requirements, and the costs and benefits of the
project. This phase is concluded by a preliminary go or no-go decision.
4.2.2 Problem Analysis One of the first things to do when starting an anti-counterfeiting project is to analyze the
underlying problem. Different aspects of the problem need to be regarded: besides monetary
aspects, there are security and image aspects. While the direct monetary damage of
counterfeiting is huge for one company, this monetary damage is rather minor for others.
Though, these companies may want to start anti-counterfeiting, because a bad impact on
their image caused by counterfeits can result in a major loss of potential customers. Also
companies of branches with high requirements towards security may not want to fight
counterfeiting because of monetary reasons only. An aviation company, for example, can
significantly lose customers’ trust, if one of its airplanes crashes due to a counterfeit spare
part used to repair the plane. Therefore, monetary analysis/reasons are good instruments,
but not always suitable for deciding whether to engage in anti-counterfeiting or not.
Furthermore, it is very difficult to calculate the monetary damage of counterfeits. On the one
hand, gathering the correct information is almost impossible and on the other hand many,
assumptions must be drawn. For example, would someone who buys a 20 € counterfeit also
buy the genuine product for 500 € instead? In Addition, it is very difficult to calculate the
share of counterfeits sold with genuine products [12]. Therefore, also other indicators for
analyzing the problem of counterfeiting must be found. As described in the EU-SToP4
• Products with high sales volumes are more interesting for counterfeiters due to the
fact that these products are widespread. This means that on the one hand
counterfeiters know these products better than less known products, and that there
are more potential customers for buying the counterfeits on the other hand.
D1.4,
the following list provides an overview of important indicators [13]:
• Profitability for counterfeiters is an important prerequisite. Due to the fact that
counterfeiters save the research, development, design, and marketing costs the
counterfeiter’s margin can be calculated as the difference between a product’s gross
profit margin (which does not include indirect expenditures like marketing and R&D),
and the operating profit margin. The higher this margin is, the more attractive is the
product to the counterfeiter.
4 Stop Tampering of Products
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
• The easier it is to imitate a product’s visual quality, the cheaper it is for the
counterfeiter to duplicate the product. Therefore, the ease of duplication
characterizes the counterfeiters estimated investment in production facilities and
represents an entry barrier for the illicit business. However, also complex products
can be targeted by counterfeiters.
• The demand for fakes is another important driver for counterfeiters. The higher the
demand for fakes is, the easier it is to sell counterfeits, because there is no need to
fool the buyers. The demand for counterfeits can exist when the genuine product is
not available due to delivery problems, regulations, or higher prices.
• If a product already has a counterfeiting history, it is very likely that it will also be
counterfeited in the future. In order to estimate the extent, different illicit channels,
such as the Internet or flea markets can be checked upon suspicious products.
Cooperation with customs organization can also be very helpful to gain knowledge,
such as about the number of seized goods.
Moreover, the problem analysis includes the following counterfeiting characteristics:
• Is there deceptive counterfeiting? If yes, a technical solution can be in case the
authenticity of the product shall be checked. Deceptive counterfeits are sold at prices
close to those of genuine products. Hence, the risk of deceptive counterfeiting is high
and companies should address the problem of counterfeiting (see also BRIDGE D5.2
Requirements Analysis Report).
• Are counterfeit products imported to the European Union? If yes, a technical
solution can be valuable, for example, customs authorities can also check the
authenticity of the products (see also BRIDGE D5.2 Requirements Analysis Report).
• Are there counterfeit products in the licit supply chain, mixed with genuine products? If yes, a technical solution can be valuable in order to detect these
shipments with mixed merchandise.
The following table can be used in order to quantify the problem. The different indicators
described above are weighted and quantified for each product. Therewith, it is possible to
estimate the extent of the problem and to compare the different products.
Table 7: Decision making tool for evaluating the overall risk of counterfeiting
Weight Product X Product Y Product Z Counterfeiting and grey market history 15% 5 … … Sales volume of the genuine product 20% 6 Risk to consumers due to counterfeiting 15% 9 Direct loss of future sales due to counterfeiting 10% 4 Demand for counterfeits 10% 3 Profitability for counterfeiters 20% 6
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Ease of duplication 10% 6 Overall risk of counterfeiting 100% 5.80 6.10 4.20
In order to protect the licit supply chain from counterfeit injections, Section 3 lists
recommended locations where to check the products within the supply chain. Besides the
counterfeiting aspects mentioned in the lists above, a company-internal analysis of the
counterfeiting situation in the licit supply chain will support the brand owner to define where
to check within the supply chain and to opt for an adequate anti-counterfeiting solution, e.g.
an technical solution based on RFID and track-and-trace technology. With choosing the
“right” locations, the brand owner can maximize the chances to check counterfeit products
that enter the licit supply chain. As stated in Section 3, selecting the right supply chain
locations is crucial since it contributes directly to the achieved level of protection in practice
(cf. Figure 2 and Figure 15).
As a start of the process and as one part of the problem analysis, the above introduced
decision making tool (Table 7) can be applied. If the problem analysis indicates that there is
a need for action, adequate methods need to be chosen to proceed against counterfeiting.
Since BRIDGE WP5 focuses on the RFID technology, the following subsections will only deal
with the adoption of EPC/RFID based approaches.
4.2.3 Project Team The project team is one important success factor for an RFID-project. Due to the high
integration of many different fields, multidisciplinary expertise is needed. Therefore, the skill
set of the project team should reflect a mixture of these different fields including
manufacturing, logistics, operations, engineering, warehouse management, business
process reengineering, and information technology [1]. If this knowledge is not available
within the company, training sessions and/or external consultants are needed.
Figure 17: Example for an RFID project team [6]
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Usually, the project team is divided into a core and an extended team. Figure 17 shows an
exemplary core project team. While the core team consists of full time employees, the
extended team includes personnel, which are interconnected to the RFID-project. It is also
possible to integrate external experts, partners, and technology providers into the extended
team. Their expertise, however, should only be consulted if necessary. Typically, the
members of the extended team are experienced in the fields of quality management, IT,
organization, sales, marketing, HR, law and R&D. In contrast to the core team, the extended
team bears no responsibility for the success of the project. The following project roles should
be considered within the core team:
• Project Leader: The project leader needs to unite technical expertise as well as
process knowledge, in order to communicate in a competent manner with technical
and business experts. Furthermore, experiences in management of large-scale
projects are desirable.
• Change manager: The change manager should have good communication skills and
experience in process reengineering and optimization. His tasks are to anticipate,
document, and monitor the upcoming organizational changes in order to avoid
undesired side-effects.
• RFID manager: An RFID manager needs to have knowledge about the RFID
hardware. Furthermore, he should know which hardware to choose and how to
implement this hardware. He is responsible for the site survey and the
implementation of the hardware.
• Application lead: The application lead needs to have a broad IT knowledge.
Furthermore, he needs experience with the required software application and
underlying data. He will lead the integration of the RFID solution into the current IT
infrastructure.
• Process manager: The process manager is an expert in supply chain management.
He should know and understand the processes within the company well. He is
responsible for the adoption of the business processes. Furthermore, he is the central
expert for anti-counterfeiting.
Anti-counterfeiting is only one of numerous business applications being enabled by an
extended RFID and track-and-trace platform. According to industry interviews, companies
would invest into an RFID and track-and-trace infrastructure (especially on item-level) for
multiple beneficial applications, inter alia anti-counterfeiting. Hence, besides the process
manager, who is the responsible expert for the anti-counterfeiting application, other experts
or teams of experts, responsible for other business applications, are needed. This fact has
an additional influence on the RFID project team.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
4.2.4 Definition of Project Scope Defining the project scope is very important for RFID projects due to the fact that a clear
scope can have various positive effects on the success of a project [38, p. 455]. On the one
hand, clear goals can reduce unrealistic expectations towards the RFID-technology, and on
the other hand they can increase the acceptance amongst stakeholders. By stressing the
importance of the project within the project scope, users, employees, customers, and
partners can easily understand the purpose and the meaning of the project. During the
project, the focus must be kept on the scope in order to stick to clear budgets and
timeframes [7]. Due to the fact that the RFID-technology offers innumerable application
possibilities, an RFID-project bears the risk of losing focus by covering too many different
topics. Therefore, it is very important to set and stick to SMART (specific, measurable,
achievable, relevant and time bound) goals [10]. As a next step, a feasibility study needs to
be conducted in order to check the achievability.
4.2.5 Feasibility Study The feasibility study needs to clarify if the project can be realized or not. Therefore, it has to
answer major key questions which are inter-connected with the success of the project. With
the answers at hand, the study has to analyze if the goals can still be met. If not, the project
either needs to be stopped or the scope needs to be redefined. In the following, a list is
provided with RFID-specific aspects which need to be regarded in the study. This list should
not be seen as a complete list, but rather as a list of important points. For each project and
each company, there can be additional question which are not regarded here:
Product
• Which products need to be tagged? This is a strategic decision about the scope of
the project, and it should be done based on the problem analysis (cf. subsection
4.2.2).
• Can the chosen products be tagged with EPC tags and on item-level? All possible
problems with metals, liquids, digital goods and raw materials like chemicals, or
tagging possibilities have to be clarified.
• Where and how can the tags be attached to the products? Can the requirements of a
secure integration be fulfilled? Are the manufacturing and packaging process
changes feasible?
• If not all products can be tagged, is it feasible to run several systems parallel in order
to handle untagged items? Are the company and its supply chain partners able to
handle the increased complexity of multiple systems?
Suppliers and Partners
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
• Which suppliers, distributors, retailers, and other supply chain partners need to be
involved in the RFID roll-out?
• Are the supply chain partners willing to adopt the RFID system? How can they be
convinced?
• Are the supply chain partners willing to share the needed data?
• Are there any suppliers or partners who already use RFID? Can knowledge be
transferred to the company or can the company benefit in other ways from it?
Technical
• What is the needed reader network?
• What is the expected data volume and required infrastructure to handle it?
• To what extent is the company able to equip its sites with the technical infrastructure
or are there technical restrictions (e.g. no broadband Internet connection on site,
machines which are affected by radio waves of the readers)?
• Can the reader device provide reliable read rates or will external circumstances
prevent the company from getting reliable reads?
• Does the company have enough knowledge to realize the project and to maintain the
infrastructure afterwards, or does the company need to pay external experts?
Anti-counterfeiting measures
• Which security measures are feasible?
• What is the required level of protection? How much money and effort can be
allocated to protect one product?
• Which anti-counterfeiting solution suits best for the company? E.g., is trace data
available? Are the traces complete? How good is the read accuracy? Is the trace data
timely or does it come with delays? Table 5 provides a conceptual feasibility of RFID-
based product authentication measures in different supply chain locations (see
Section 2 and BRIDGE D5.4 for technical details).
Legal
• Are there any legal restrictions towards hardware, software or private concerns in the
operating countries?
Financial
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
• Is there a budget for the planned expenditures (starting investment and operating
costs)?
By giving answers to these questions, the feasibility study highlights positive and negative
aspects, as well as alternative options and possibilities. Furthermore, it has to summarize
possible risks and critical steps in order to increase the probability of success [9]. If the
project is supposed to be feasible also the monetary aspect need to be reviewed.
4.2.6 Cost-benefit analysis A cost-benefit analysis is a good instrument for evaluating the project’s potential beforehand.
As described in the BRIDGE D5.3 deliverable, costs need to be distinguished into one-time
set-up, and variable costs [11]. While one-time set-up costs cover software, hardware,
consulting, planning and other project related costs, the variable costs comprise all operation
and maintenance cost, such as costs for inspections, RFID tags and costs for reaction
measures towards findings of counterfeit goods. The latter must be regarded very carefully
since the technical solution will increase the number of revealed counterfeits and therewith
the costs for these reaction measures. In order to get a clear and correct picture, it is
important to include all related costs and benefits in a correct manner. This subsection
presents a list of cost and benefit factors which need to be regarded in a project.
One-Time Costs
• Consulting and planning costs occur when third parties are engaged in the
adoption project. Especially when the company lacks know-how, third party
knowledge needs to be purchased.
• Hardware expenses include all costs for RFID-readers, work stations, servers,
RFID-printers and network infrastructure.
• Software expenses include all licenses needed for work stations, servers and RFID-
middleware.
• System integration costs are costs for the installation and configuration of hard-
and software including reader installation, EPCIS and EPCDS server installation as
well as the integration of the system into the current IT infrastructure.
• Production line changes might be necessary to enable product tagging in the
manufacturing site.
• Costs for the internal project team cover all expenses for internal personnel within
the adoption project.
• The initial EPCglobal subscription fee needs to be paid at the beginning of the
subscription. The amount depends on the company’s turnover and the operating
country.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Variable Costs
• Costs for RFID-tags are a major cost driver, due to the fact that every item needs to
be tagged. Depending on which kind of tag is used, these costs can vary from a few
cents to multiple Euros. The average price of a low cost RFID inlay is less than 10
cents. Prices are expected to drop further.
• Costs for tag integration comprise the costs for integration of tags into the product
including variable material and labor costs.
• Maintenance costs (reader, server, etc) refer to costs for maintaining the
infrastructure including soft- and hardware. These maintenance costs are estimated
about 10-15% of the initial investment [14].
• EPCglobal annual fee has to be paid by EPCglobal subscribers each year. The
amount depends on the company’s turnover and operating country.
• The Inspection team consists of employees monitoring the supply chain. The
maintenance of the prototype (including the creation of new rules) and the
investigation of suspicious products are their major tasks.
• Training is needed to teach on-site personnel how to handle suspicious products and
how to interact with the reaction team. It is also needed to give an understanding of
the new system to the employees.
• Travel expenses occur when the inspection team has to travel to different locations
in order to perform investigations.
• Test purchases are needed to locate counterfeits and illegal distribution channels in
the market.
• Reaction costs are caused by counterfeits found in the supply chain. In order to
prevent counterfeits from entering the supply chain in the future, law cases must be
opened and possible entries for counterfeits must be closed.
Other categories
• The up-front investment costs contain setup costs for hardware, software and
service expenditures. These costs must be depreciated over the complete
investment’s live time.
• In order to calculate the present value of the investment, the discount rate for future
cash flows needs to be anticipated. Thereby, the discount rate represents the
company’s costs of capital. For small and growing companies, this rate is most likely
to be higher than for large and mature company’s.
A more detailed description can be found in the BRIDGE D5.3 Business Case deliverable.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Quantifying the financial benefits of an anti-counterfeiting solution is very difficult due to the
fact that the outcomes of such a solution are characterized by a complex chain of effects
(see Figure 18). Investing money into an ACF system will increase the level of security (1)
towards the threat of counterfeiting (2). By increasing this level the counterfeiters will be
faced with the threat of detection. Furthermore, their profit will decrease (3) forcing some of
them to withdraw from the market. As a result, the number of counterfeit injections will be
reduced (5), while the detection rate will increase (4). This leads, to a lowered number of
successful injections which will then result in possible financial benefits subsisting of lesser
losses of sales, an increased goodwill and brand value and an increased customer safety.
Putting a price to these factors beforehand is very difficult. Therefore, estimating the benefit
of different ACF solutions can optimally be done by comparing their level of security,
because a higher level of security will lead to more financial benefits. A guide on how to
estimate the level of security for a certain solution can be found in the BRIDGE D5.3.
Cost
Technology ($) Level ofsecurity (S)
Adversary (A)
Non realizedthreats (B)
Financialbenefits ($)
Benefit
1
23
4 6
5
Figure 18: Cost benefit model of investment in security
Besides the business application of anti-counterfeiting, RFID enables a variety of additional
business applications. Figure 19 illustrates the work package structure of the BRIDGE
project and the business applications researched within BRIDGE (framed). Anti-
counterfeiting is only one of numerous business applications of an extended RFID and track-
and-trace network. Hence, while the costs arise only once, the benefits are abundant.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
WP4: Security
WP3: Serial-Level Supply Chain Control
WP2: Serial-Level Lookup Service
WP1: Hardware Development
WP12: Training Platform, Courseware & Certification
WP13: Dissemination & Adoption Tools
TechnicalDevelopmentClusters
BusinessDevelopmentClusters
HorizontalActivities
Figure 19: Exemplary RFID enabled Business Applications
These application guidelines are written for the purpose of anti-counterfeiting, however, most
of the non-anti-counterfeiting aspects hold true also for other business applications.
4.3 Planning phase
4.3.1 Purpose of the Planning Phase The planning phase is the second phase in the project life cycle. The goal of the planning
phase is to create a plan for the execution phase and to analyze the company’s requirements
towards the RFID-system. The main activities in this phase are the anticipation and
documentation of upcoming changes, the stakeholder analysis, the selection of hardware
and software and the development of an RFID system design by conduction a site survey.
4.3.2 Organizational and Process Changes In order to adopt RFID and an anti-counterfeiting solution, it is crucial to know the existing
environment including organizational and technical infrastructure [3]. This knowledge saves
time and prevents interruptions in the implementation phase. On the one hand this includes a
site survey which is discussed in subsection 4.3.3 and on the other hand this includes the
anticipation of organizational and process changes in order to enable a successful change
management. An RFID-project comes along with a lot of side-effects which need to be
investigated beforehand. If these changes are desirable, people have to be trained and
informed accordingly in order to enable them to cope with the changed environment. If these
changes are not desirable, countermeasures have to be implemented. Thereby, it is
essential to understand that RFID is not only an IT issue, but an issue which has a strong
impact on all divisions and therefore on the existing organizational structure and processes.
Thus, it is important that managers understand the current environment before planning the
required changes. An RFID-adoption which is not planned thoroughly can have a negative
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
impact on the business [8]. Therefore, the organizational structure and the processes as well
as the changes and their impact on employees and the organizational structure have to be
described carefully.
4.3.3 Site Survey The goal of the site survey is to develop an RFID-system design [17]. This includes the
assessment of possible hardware and software, a plan how to integrate the system into the
current infrastructure, and a plan where to set up the different readers and servers. In order
to create this system design, an on-site investigation is indispensable. Thereby, the physical
infrastructure and the radio frequency environment are the most important aspects. In order
to successfully execute such a site survey a standardized procedure can be helpful (see
Figure 20).
Visualize the site infrastructure by creating a blueprintPlan Blueprints
Inspect the Site Inspect the site and make observations for the physical
and electrical analysis
Perform analysis and determine the reader location
Document the results within the blueprints
DetermineReader
Location
DocumentResults
Figure 20: Site Survey Process [17]
Before conducting a site survey, it is advisable to create a blueprint of the site. A blueprint is
a plan which visualizes the architecture and the engineering design. On the basis of this
blueprint, the site can be inspected in order to identify possible issues, such as metals or
machines interfering with the radio waves. As a next step, physical and electrical analyses
need to be performed in order to find appropriate locations for the readers and antennas. The
importance of these locations should not be underestimated, because only a good system
design can prevent counterfeiters from injecting counterfeits into the supply chain. In order to
avoid these injections, a high granularity and a good read rate are needed. Granularity,
hereby, means that there are not only readers at the entrance and exit of the site, but also
between different production steps. As a result, products can be checked more often and in
earlier stages of the supply chain. On the one hand this lead to a faster detection of
counterfeits, and on the other hand injections can be retraced easier and more exact. In
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
addition to the granularity, a good read accuracy is needed to increase the quality of the
data. The read accuracy can be assured by conducting an electrical analysis. The aim of this
analysis is to find a reader location where no ambient electromagnetic noise is interfering
with the reader and antennas [18]. The better the read accuracy, the less is the effort to
manually scan items which were not recognized by the reader. Furthermore, a good read
accuracy will result in a complete product trace, which will increase the efficiency of the
different prototypes and decrease the false alarms due to incorrect data. Concluding the
analyses, the identified locations are marked in the blueprint, and the results are documented
for later use.
4.3.4 Selection of Hardware and Software Selecting proper hardware and software is an important task in the RFID adoption process.
Before buying the equipment, basic knowledge about the different systems and vendors has
to be obtained. A good way of doing so is to study available articles and papers including
lists of major RFID-vendors.5
Table 8
Especially important is the use of standards, due to the fact that
interoperability needs to be ensured along the whole supply chain. Without data interchange
with other organizations, it will not be possible to gather a complete trace for the solution.
Since this deliverable is created within the BRIDGE project, EPCglobal standards are used to
ensure the required interoperability. Though, the use of standards should be discussed with
all supply chain partners beforehand. shows the required hardware and software for
an RFID-implementation.
Table 8: Required hardware and software
Hardware Software Tags RFID-Reader RFID-Printer Servers and workstations Network: Servers Routers Cables
EPCglobal middleware EPCIS EPCDS Anti-counterfeiting software
4.3.5 Stakeholder Analysis Stakeholders are of special importance within an RFID-project, because they can have a
critical influence on the success of the project. Therefore, all stakeholders have to be listed
and described carefully in their expectations, conflict potential, function, information needs,
and bargaining power/influence [15]. Stakeholders can be individuals or organizations who
are either involved in the project or whose interest is positively or negatively inter-connected
with the project’s execution [2].
5 A comprehensive and actual list of vendors can be found on www.rfidjournal.com
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Table 9: Exemplary Table of Stakeholders
Stakeholder Expectation Function Information need
Conflict potential
Influence
Employee 1 To be kept informed about the project
CIO High Low High
Project Team
High Low High
End Users To be kept informed about project activities that will affect them
Users High Medium Low
Supplier A Increase ROI Minor Supplier
High Low Low
Supplier B Reduction of Impact for Supplier B
Main Supplier
High High High
NGO 1 Publish which kind of customer data is gathered
Consumer Protection Organization
Low High Low
Consumer Not to be affected negatively by the project. Reduction of counterfeits in the market
Customer Medium Low Low
Table 9 shows an exemplary list of stakeholders with all the information mentioned above.
According to the PMBOK, following stakeholder groups should be investigated in order to
identify all possible stakeholders:
Figure 21: Stakeholder groups [2]
As Figure 21 illustrates, stakeholders can be divided into key and additional stakeholders.
While the four key stakeholders exist in every project, additional stakeholders may vary from
project to project. Therefore, the stakeholder analysis must be performed very carefully. In
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
contrast to the PMBOK’s classification, suppliers and other supply chain partners must be
seen as key stakeholders in this special anti-counterfeiting project. In order to run the
prototypes with maximum efficiency, the entire trace data must be available. This can only be
achieved if the supply chain partners are willing to share this data. Thus, good relationships
and good stakeholder management for these stakeholders are indispensable. Due to very
different objectives of each stakeholder, managing the expectations is the most challenging
part. In case of conflicts among stakeholders, a solution which is in favor of the customer
should be chosen. A matrix can help to visualize and identify potential supporters and
opponents. Figure 22 shows such an exemplary matrix with six different stakeholders (A to
F).
Figure 22: Exemplary Stakeholder Matrix
While the two axes show the trading volume and the willingness to share data, the bubble
size indicates the need of information. The bigger the bubble, the more information is
required by the stakeholders. Different colors are used to distinguish between key and
additional stakeholders. While the stakeholders in the lower left corner are mostly negligible,
the stakeholders in the upper right corner are the most critical ones. Very close observation
and reaction measures need to be conducted for them.
4.4 Implementation phase
4.4.1 Purpose of the Implementation Phase The Implementation phase is the third step in the project life cycle. The activities of this
phase are the deployment of the system, and the implementation of the organizational
changes planned in the phases before. In order to avoid confusion of the daily business it is
recommended to run a Pilot system before conducting the full-scale implementation. The
goal of the implementation phase is to create a properly tested and working system for which
training material and documentations are available.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
4.4.2 Pilot Study In many cases it is recommended to conduct a pilot study. The goal of this study is to get
experience with the system in a real production environment and to verify the findings of the
initiation and planning phase [4]. The first thing to do when conducting such a study is to
choose a site where to implement the pilot. A smaller location should be chosen where the
implementation or even a failure of the project would not lead to a major disturbance of the
daily business. Depending on the size of the implementation project, a pilot study is carried
out in about 2-6 months. The most important activities in the pilot phase are to attain the
desired read accuracy and to verify the correct reader locations in combination with the
corresponding business processes. Furthermore, it is important to check the system’s ability
to work properly under full load operation. By testing different reader-configurations, the read
rate and the scanning and tagging speed can be increased. While running the tests, the
hardware infrastructure and especially the network should be carefully monitored in order to
identify possible bottlenecks. In the course of time, the employees will become more familiar
with the system, which will lead to a significant increase in efficiency. When the system is
running suitably, the detection rate of the chosen anti-counterfeiting solution can be
measured by injecting suspicious products into the supply chain. Afterwards, the planning
documents can be adjusted according to the findings of the pilot study, concluded by a
company-wide full scale implementation.
4.4.3 Administrative and Organizational Requirements and Changes While implementing the RFID-based anti-counterfeiting solution, different administrative and
organizational changes will occur within the company. It is important to carefully monitor
these alterations in the implementation phase in order to prevent undesired side-effects,
such as a change in the power structure. Most of these changes should already be
documented in the planning phase. However, some of them can still be unforeseen and
therefore a pro-active change management is indispensable.
The biggest change in the organizational structure is the establishment of an anti-
counterfeiting taskforce. This taskforce is a cross-functional team which continuously deals
with anti-counterfeiting. Its tasks are to maintain and utilize the ACF solution and to initiate
adequate measures against seized counterfeits. The team, therefore, needs to be integrated
into the organizational structure. Its existence and its competences must be communicated
clearly to the employees at the different sites and departments in order to avoid confusions.
While the RFID implementation is in progress, the team members have to create a procedure
strategy towards seized goods. Furthermore, communication channels to internal and
external parties must be established. In order to get an overall picture of the counterfeiting
situation within the company, it is important to talk to the different departments. Hereby, the
cooperation with the legal department is of special importance, since this department will
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
take legal actions based on the investigation of the anti-counterfeiting team. A close
cooperation with external parties, such as the government, customs and supply chain
partners can also be very helpful.
The goal in the implementation phase for the anti-counterfeiting team is to gain the required
knowledge. The aim can be achieved by conducting training sessions on the one hand and
by getting familiar with the systems and applications, and by discussing counterfeit issues
with the different departments on the other hand. The skill set of the team should, therefore,
comprise technical expertise as well as business knowledge.
4.4.4 Technical Requirements and Changes An RFID-project will have major implications on the technical infrastructure including the
installation of RFID-readers, the setup of new servers and workstations, and the adaption of
the network infrastructure. Usually, an upgrade of the network is coercively necessary due to
a higher data volume. For instance, when Metro introduced its RFID system, they concluded
that 25 gigabytes of data will be generated every minute by their RFID-readers, assuming 10
kilobyte per scanning event and 40000 events per second [16]. This huge amount of data
needs to be transferred via the network to different servers and applications. Therefore, the
network should be adapted and carefully monitored, in order to prevent a slowdown of other
data transfers.
Each plant or warehouse location needs to be equipped with RFID-reader and printer
devices. This is necessary for exchanging broken tags and for tagging products from
manufacturers and retailers delivering their goods without RFID-tags.
Furthermore, each site hast to be either equipped or connected with an EPCIS to store the
captured observation events. The chosen system then accesses the EPCISs via a central
Discovery Service which also runs on a distinct server. In order to integrate the infrastructure
into the current IT-environment, several interfaces need to be implemented.
4.5 Closing phase The closing phase is the last step in the project life cycle. The goal of this phase is to formally
close the project [2]. The tasks in this phase are to complete the system documentation,
transfer open tasks to other staff, and break up the project team. Furthermore, the lessons
learned should be reviewed and analyzed carefully in order to learn for future projects. As a
last step, the computer systems, the prototype, and the documentations will be handed over
to the maintenance team, which will be responsible for further activities.
4.6 Operation and Maintenance The operation and maintenance phase is not part of the adoption project because it is an
ongoing activity which does not have a defined end. In this phase, the anti-counterfeiting
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
team has the responsibility for the prototype and the reaction measures towards seized
counterfeits. Mistakenly stopped genuine products (false positives) and counterfeit products
that are not detected in a check (false negatives) raise the need to handle liability issues
during the operation and maintenance phase. Regarding liability, it is crucial that the end
users understand the difference between hard-to-copy prevention-based features (cf.
subsection 2.2) and detection-based security measures (cf. subsection 2.3). Unlike a hard-to-
copy feature, a check based on a detection-based measure needs to deal with uncertainty (in
visibility) and it can thus generate both false positives and negatives. Therefore the
detection-based systems should be regarded as an additional level of protection that is able
to detect many of the materialized threats, very much like a surveillance camera. In
particular, this difference is already explicit in the pharmaceutical industry jargon where
checking is defined as “authentication” for prevention-based security measures and
“verification” for detection-based security measures.
This brings fort a possible issue regarding borderline cases, that is, weak alarms that are
possible in some detection-based measures. These cases indicate a weak reason (i.e. a
small probability) to be suspicious about the origins of a product but the evidence is not
strong enough to raise a full alarm. Thus the affected companies are reluctant to manually
control all the borderline cases since it would mean a considerable increase in the number of
manual interventions needed. However, if such a weak alarm is triggered by a counterfeit
product but no further actions are taken by the responsible company, a customer who buys
the counterfeit product could potentially sue the company for not taking the necessary
actions to protect him or her from counterfeits. This illustrates the rigid reliability requirements
of detection-based security measures in real-world applications and a possible liability problem: if the risk of liability claims due to not reacting in borderline cases is too high for the
affected company, it might be better for the affected company not to deploy the detection-
based security measure at all. In other words, it can be cheaper not to analyze the track and
trace data for counterfeit products at all, than to do it and face the risk of increased liability
due to borderline cases, or to do it and react in all borderline cases, which means stopping
and manually verifying numerous shipments of genuine products every day.
In order to quantify the success and the extent of the problem, the team needs to create
statistics about all cases and the development over time. The operation phase will be
characterized by the so called “war of escalation”. With the new system, counterfeiters will
have difficulties to inject their goods into the supply chain. But as time evolves, smart
counterfeiters might find ways to circumvent the system. Therefore, a technical solution
should not be seen as a silver bullet against counterfeiting. The process of anti-counterfeiting
will be an ongoing activity where the steps of counterfeiters need to be anticipated. In order
to efficiently retaliate against the counterfeiters, anti-counterfeiters will have to anticipate the
next moves (e.g., create new rules in case of the rule-based anti-counterfeiting prototype).
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
One very important activity, hereby, is the protection of the server infrastructure. If
adversaries can manipulated the data within the EPCIS servers all the advantages of the
different prototypes will turn into disadvantages, because unsuspicious goods will be handled
with much less care than goods which can possibly be a counterfeit.
Besides the protection of the licit supply chain, also illicit channels can be monitored by
making test purchases at online market places or flea markets. Over the course of time, anti-
counterfeiting technology will evolve and become more sophisticated. Therefore, the anti-
counterfeiting team will have to watch the technological trends and adopt them if necessary.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
5 Example Application
5.1 Introduction In this chapter, the SAP RFID rule-based anti-counterfeiting prototype will be implemented to
a virtual company using the project life cycle model from Section 4. Since WP5 does not
have a real-world industry partner to implement the anti-counterfeiting prototype, we decided
to implement the prototype for the virtual SAP company “Akron”. Although Akron does not
exist in reality, it has its model (including supply chain, suppliers, number of plants, products,
employees, etc.) adapted from a real-world company.
5.2 Akron Company Profile Akron is a so-called model company which was originally set-up by SAP for the development
and testing of Business By Design. Akron is only a virtual company. However, its model was
adapted from an anonymized real-world company. The company’s profile was slightly
adapted though, in order to fit to the requirements of this report. Since its foundation in 1965,
Akron (headquartered in Berlin) is operating in the automotive industry producing spare
parts. With its 900 employees (600 in production), the company runs 3 plants in Berlin
(Germany), Toronto (Canada) and Paris (France), generating an annual revenue of 350
Million Euros. The company runs two distribution centers (DC) in Frankfurt (Germany) and
Shanghai (China), and five subsidiaries in Budapest (Hungary), London (England), Osaka
(Japan), and Peking (China). Figure 23 illustrates the supply chain network of Akron:
Manufacturer
Akron
Supplier Customer
Miller & Son
Mobita
Others
Toronto
ABC Contract Manufacturer China
Berlin
Paris
DC Frankfurt
DC Frankfurt
DC Shanghai
EMEA
APJ
Figure 23: Akron's Supply Chain Network
Mobita and Miller & Son are Akron’s main suppliers. While Mobita and various smaller
suppliers deliver to the distribution center in Frankfurt, Miller & Son delivers to the plant in
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Toronto. The parts produced in Toronto and Paris, and parts from third party vendors
(delivered from Frankfurt) are assembled in Berlin. From Berlin the finished goods are sent
to the DC in Frankfurt for the European market, and to the DC in Shanghai for the region
Asia Pacific and Japan (APJ). Furthermore, the company has a contract manufacturer in
China in order to balance demand fluctuations and bottleneck situations. Approximately 17%
(154) of the employees refer to Sales, Service & Marketing. The other employees are linked
to general administration including IT and HR, procurement and R&D. With a limited annual
IT budget of approximately € 7 million, the company demands for effective IT-services
focusing on key pain-points and addressing them in time-, resource- and cost-effective way.
In recent years Akron observed a growing percentage of counterfeits within the market.
Studies and appraisals calculated this percentage to be about 10% of all parts. This number
is located at the upper end of the range of 5-10 percent which is common for the automotive
industry [12]. Thus, Akron is concerned about the loss of its sales and the deterioration of its
image. Furthermore, Akron fears the increased number of car accidents caused by low
quality counterfeit parts bearing their trademark. Therefore, Catherine Kennedy-Wood (CEO)
decided to take countermeasures against counterfeits.
Akron already conducted some laboratory trials with RFID and assessed the findings as
beneficial for the company. Therefore, Akron decided to go for an RFID solution. When
analyzing the market for anti-counterfeiting solutions, Akron discovered the BRIDGE rule-
based anti-counterfeiting prototype which fits perfectly to the needs of the company.
5.3 Application
5.3.1 Initiation phase Due to recently conducted studies and analyses, Akron is well informed about its
counterfeiting situation. So far, Akron didn’t take any measures against counterfeiting.
Compared to other competitors, the percentage of counterfeits is very high. Hence the
company suffers competitive disadvantages. Therefore, Akron wants to combat
counterfeiting activities and secure its licit supply chain. Ideally, Akron can achieve a number
less than 5% of counterfeit products, which in consequence will lead to a competitive
advantage for the company, higher sales, and a better reputation and image. Therefore, the
three plants and two warehouses are to be equipped with RFID hardware.6
Figure 24
In order to create
a scope document including a feasibility study and a cost-benefit analysis, Joerg Hamburger,
the IT Services Director, was entrusted to setup a project team. illustrates the core
project team according to Joerg Hamburger’s proposal and based on Section 4.2.3 and
adapted for the rule-based track and trace prototype.
6 A detailed plan of the needed hardware can be found in the hardware cost calculation in Appendix A.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Figure 24: Akron's project team
In this special project the process manager Bernhard Benedict is of special importance. As
illustrated in Figure 25, he is the link between the counterfeit experts within the different
departments and the rule designer. He is, therefore, the business expert for counterfeiting,
while the rule designer is the technical expert. The rule designer is capable of creating rules
for the prototype based on requirements given to him by the process manager. The process
manager is, thereby, the central expert for counterfeiting combining the experience of the
experts from different departments, such as:
• Marketing expert’s view: In which distribution channels do counterfeit goods
appear?
• Production expert’s view: How to distinguish between the genuine product and
counterfeit?
• Logistic expert’s view: How are counterfeits injected into the supply chain?
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Figure 25: Process manger and rule designer
As a first step, the project team conducted a detailed feasibility study which proved that the
project can be beneficial. However, the study also pointed out some risks which have to be
carefully monitored. Gathering the trace information for the prototype will be hard, because
suppliers are difficult to convince to share data. Therefore, the stakeholder analysis and
communication will be of special importance. Furthermore, the budget frame is very tight;
hence a good financial planning is necessary. For more details please refer to BRIDGE D5.3
Business Case Report [11].
5.3.2 Planning phase In order to create an RFID-system design, the RFID-manager Connie Cook and the RFID-
engineer Michael Davis conducted a site survey which was executed in cooperation with the
Akron warehouse and plant administration. Three plants and two distribution centers were
investigated. As a first step a factory layout was created. Based on this blueprint the physical
and electrical analyses were conducted in order to find the locations for the readers. Figure
26 shows the blueprint for the factory in Toronto, where 8 reader and 3 printer locations were
marked. With the blueprint at hand, the project team can now estimate the exact hardware
requirements. In addition, the blueprint can be used as a plan for the implementation phase.
The process manger can now analyze and document the needed changes in production
processes and the rule designer can use the factory layout to create first anti-counterfeiting
rules. Thereby, possible design flaws can be found and corrected before the actual
implementation.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Figure 26: Factory layout
Based on the factory layout and laboratory trials Akron decided to introduce ultra high
frequency passive tags. Furthermore, several price proposals were obtained in order to
decide for reader and printer vendors. Thereby, the read accuracy and the price were the
most important factors for the decision.
The stakeholder map and the resulting communication plan are of special importance for
Akron. The feasibility study revealed that some suppliers and partners are not very keen on
exchanging supply chain related data. But for anti-counterfeiting and especially for the track
and trace prototype, this data is inevitable to work reliable. Therefore, Akron entrusted Arthur
Major to handle all external communications. Arthur created a stakeholder map which can be
found in Appendix B. In order to visualize the relationships to the different suppliers and to
figure out possible conflicts, he also created a matrix (see Figure 27). The matrix will help to
identify critical suppliers and the resulting need for action.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Figure 27: Supplier matrix
The X-Axis symbolizes the willingness of supply chain partners to share EPC event data with
Akron. The higher this value is, the better it is for Akron. The Y-Axis symbolizes the trading
volume of the supply chain partner. The higher the trading volume is, the more influence has
the supply chain partner and the more important it is for Akron to gather the EPCIS data.
Generally, the suppliers can be divided in those who are willing to share data (supporters)
and in those who are not willing to share data (opponents). The opponents need to be
handled with special care. Therefore, negotiation meetings were conducted with Mobita and
the Fisher Steel Group. In the end, Akron was able to convince the two opponents to
cooperate by highlighting the benefits of the new solution for both sides in the combat
against counterfeiting.
5.3.3 Implementation phase In order to avoid major confusions when implementing the system, Akron planned a pilot
study at the site in Toronto for a period of three month. As a first step the servers were set up
including the middleware server, a local EPCIS, the central EPC Discovery Service, and a
server the prototype is running on. As a next step, the RFID-hardware was deployed
according to the plan created in the site survey. Several interfaces were implemented in
order to connect the hardware and the middleware with the ERP system. The pilot study
validated the correctness of the factory layout and investigated the infrastructure. It also
showed that there is no need of upgrading the network. With about 1.000.000 million
products produced yearly and 50 RFID-reader, only 58 Mb of data will be generated every
hour (1.000.000*50/365/24*10 kb/1000), assuming 10 kilobytes per event.
While implementing the prototype, Akron started to set up the anti-counterfeiting team which
takes reaction measures against counterfeits. In order to guarantee a good knowledge
transfer, the rule designer from the project team was also transferred to it. Furthermore, two
other persons were recruited. Within the three month of the pilot study the team started to
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
work with the system and established communication channels to customs, supply chain
partners, and to the different departments within the company.
5.3.4 Closing phase The closing phase went very smoothly. By handing over the prototype and the
documentation to the maintenance team, the project was closed. The team members were
transferred to other projects and the anti-counterfeiting team took over the remaining tasks
and started to take first measures against counterfeiters.
5.3.5 Operation and Maintenance By involving the anti-counterfeiting team in the pilot study, the team was able to work
productively from the first day on. The first months showed that the rate of counterfeits was
even higher than expected. By offering an authentication service to customers and customs
organization, the team found out that most of the counterfeit parts bearing the Akron brand
came into the market through illicit channels, for instance, through third party garages using
these parts as spare parts. In only a few month Akron was able to see first results by slowly
reducing the measured counterfeits. Legal step were already initiated against a supplier
delivering considerable amounts of counterfeits.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
References [1] Deal, J. V. (2004): “The Role of the consultant Engineer in the Application of RFID
and RF Item Tracking Technologies”, Alta Consulting, Palo Alto.
[2] Duncan, William R. (2008): “A Guide to the Project Management Body of knowledge”, PMI, Newtown Square.
[3] Frey, T.: “Organizational and IT-Changes necessitated by the integration of EPC/RFID-data into existing processes and It-Infrastructure”, Darmstadt, TU.
[4] Gilmore, D. (2005): “Anatomy of an RFID pilot”, Supply Chain Digest, Springboro.
[5] Great Britain Office of Government Commerce (2005): “Managing Successful Projects with PRINCE2”, The Stationery Office, Norwich, St Crispins.
[6] Gross, S., Lo, J. S. (2003): “Change Readiness Guide: Project Management Edition”, Auto-ID Center, St.Gallen.
[7] International Project Management Association (2006): “IPMA Competences Baseline”, IPMA, Njikerk.
[8] Irrgang, Reinhard (2005): “Wege zum Einsatzreifen RFID-Konzept”, FM Das Logistikmagazin, Edition 10/2005.
[9] Kramer, S., Hackmann, E. (2007): “Machbarkeitsstudien – fundiert Entscheidungen treffen”, Tipps & Trends, PriceWaterhouseCoopers.
[10] Lahiri, S. (2009): “Chapter 9 - Designing and Implementing an RFID Solution”, RFID Sourcebook, IBM Press, Indianapolis.
[11] Lehtonen, M., Al-Kassab, J. (2007): “EU-Bridge deliverable D5.3: Anti-counterfeiting Business Case Report”, ETH Zürich, Zürich.
[12] Lehtonen, M., Al-Kassab, J. (2006): “EU-Bridge deliverable D5.1: Problem-Analysis Report on Counterfeiting and Illicit Trade”, ETH Zürich, Zürich.
[13] Lehtonen, M., Staake, T., Kločič, Z. (2008): “SToP deliverable D1.4: Analysis of the weakest points within licit supply chains and the properties of products most susceptible to tampering and counterfeiting”, ETH Zürich, Zürich.
[14] Leung, Y., Cheng, F., Lee, Y., Hennessy, J. (2006): “A Business Value Modeling Tool Set for Exploring the Value of RFID in a Supply Chain”, IBM Research Report.
[15] Pigni, F., Astuti, S., Noè, C., Buonanno, G., Bandera, S., Ferrari, P., Mazzola, G., Da Bove, M. (2006): “A guideline to RFID application in supply chains”, Camera di Comercio di Varese, May 2006, Varese.
[16] Plattner, H. (2008): “Trends and Concepts in the software industry”, Hasso-Plattner-Institut, Potsdam.
[17] Snaghery, P., et al. (2007): “Deploying and Securing RFID”, Syngress, St. Louis.
[18] Sweeney II, P. J., Zeisel, E. (2007): “CompTIA RFID+ Study Guide (Exam RF0-101)”, Sybex, Köln.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
[19] Olsen, J., Granzin, K. (1992): “Gaining retailers’ assistance in fighting counterfeiting: Conceptualization and empirical test for a helping model”, Journal of Retailing, 68(1):90–109.
[20] Olsen, J., Granzin, K. (1993): “Using channels constructs to explain dealers’ willingness to help manufacturers combat counterfeiting”, Journal of Business Research, 27(2):147–170.
[21] von Reischach, F., Michahelles, F., Fleisch, E. (2007): “Anti-Counterfeiting 2.0 - A Consumer-Driven Approach towards Product Authentication”, Late Breaking Results at the 9th International Conference on Ubiquitous Computing (UbiComp 2007), Austria.
[22] Wiechert, T., Thiesse, F., Michahelles, F., Schmitt, P., and Fleisch, E. (2007): “Connecting mobile phones to the internet of things: A discussion of compatibility issues between epc and nfc”, In Americas Conference on Information Systems, AMCIS.
[23] Sandhu, R. (2003): “Good-enough security: Toward a pragmatic business-driven discipline”, IEEE Internet Computing, 7(1):66–68.
[24] Koh, R., Schuster, E., Chackrabarti, I., and Bellman, A. (2003): “Securing the pharmaceutical supply chain”, Auto-ID Labs White Paper, Massachusetts Institute of Technology.
[25] Juels, A. (2005): “Strengthening EPC Tags Against Cloning”, In M. Jakobsson and R. Poovendran, eds., ACM Workshop on Wireless Security (WiSe), 67–76.
[26] Koscher, K., Juels, A., Kohno, T., Brajkovic, V. (2008): “EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond”, Manuscript, RSA Laboratories.
[27] Feldhofer, M., Aigner, M., Dominikus, S. (2005): “An Application of RFID Tags using Secure Symmetric Authentication”, In: 1st International Workshop on Privacy and Trust in Pervasive and Ubiquitous Computing, pp. 43-49.
[28] Plos, T., Hutter, M., Feldhofer, M. (2008): “Evaluation of Side-Channel Preprocessing Techniques on Cryptographic-Enabled HF and UHF RFID-Tag Prototypes”, In: Workshop on RFID Security 2008, Budapest.
[29] Juels, A. (2004): “Minimalist cryptography for low-cost RFID tag”, In: Blundo, C., Cimato, S. (eds.) International Conference on Security in Communication Networks SCN 2004. LNCS, Vol. 3352, 149–164, Springer, Heidelberg.
[30] Avoine, G., Oechslin, P. (2005): “A scalable and provably secure hash based RFID protocol”, In: IEEE International Workshop on Pervasive Computing and Communication Security, 110–114.
[31] Hein, D., Wolkerstorfer, J., Felber, N. (2008): “ECC is Ready for RFID – A Proof in Silicon”, In Workshop on RFID Security (RFIDSec’08), Hungary, Budapest.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
[32] Devadas, S., Suh, E., Paral, S., Sowell, R., Ziola, T., Khandelwal, V. (2008): “Design and Implementation of PUF-Based ”Unclonable” RFID ICs for Anti-Counterfeiting and Security Applications”, In: IEEE International Conference on RFID 2008, 58–64.
[33] Ranasinghe, D., Engels, D., and Cole, P. (2004): “Security and Privacy: Modest Proposals for Low-Cost RFID Systems”, In Auto-ID Labs Research Workshop, Zurich, Switzerland.
[34] Cook, C., Vogt, H., Muller, J., Dada, A, Pfletschinger, M., Ortel, N., Molan, M., Naraks, A., Gourmanel, F. (2008): “Report on Integration of Smart/Intelligent Tags in Products”, Deliverable D4.3 of the SToP project.
[35] Nochta, Z., Staake, T., and Fleisch, E. (2006): “Product Specific Security Features Based on RFID Technology”, In Saint-Workshop, International Symposium on Applications and the Internet Workshops (SAINTW'06), 72-75
[36] Schneier, B. (2003): “Beyond Fear. Thinking Sensibly about Security in an Uncertain World“, Copernicus Books, Springer-Verlag New York Inc.
[37] Staake, T. (2007): “Counterfeit Trade - Economics and Countermeasures”, PhD thesis, University of St. Gallen. Dissertation no. 3362.
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Appendix A: Hardware calculations
Table 10: Calculation of hardware expenses7
Cost of 1 reader
Factor Cost Alien 9800 EPC Gen 2 RFID Reader 1 1,247 € Alien 915 MHz Linear Antenna 4 117 € Omron 10m Antenna Cable 4 90 € Mounting Brackets 1 16 € SUM (EUR) 2,093 € Cost of 1 work station HP xw9400 Workstation 1 2,202 € Cost of 1 RFID printer Zebra R110xi RFID Printer 1 3,253 € Cost of 1 server HP ProLiant DL380 G5 1 2,424 € Cost of 1 networking infrastructure Routers 1 300 € Cables 1 50 € Sum (EUR) 350 € Hardware Expenses Cost of reader equipment 50 104,650 € Cost of work station 45 99,090 € Cost of RFID printer 10 32,532 € Cost of server 3 7,273 € Cost networking infrastructure 10 3,500 € SUM(EUR) 247,046 €
7 Price sources: http://www.rfidsupplychain.com/; http://www.hp.com/; http://www.nextag.com/rfid-printer/
BRIDGE – Building Radio frequency IDentification solutions for the Global Environment
Appendix B: Akron’s Stakeholder map
Table 11: Akron's stakeholder map
Stakeholder Expectation Function Information
need Conflict potential
Influence
Catherine Kennedy-Wood
Reduction of counterfeits bearing our trademark, Sponsor
CEO High Low High
Joerg Hamburger
Successful Project. Support from the CEO
Project leader High Low High
Al Gillmore Reduction of production costs by increasing efficiency with RFID
SVP Manufacturing High Low Medium
Jonathan Frazier No cost overrun SVP Finance and HR Medium Medium Medium
Project Team High Low High Anti-Counterfeiting team
Training sessions and introductions to the prototype
Users High Low Low
Other Employees
To be kept informed about the project. Promise that no jobs will be reduced due to RFID-technology.
Employees
Medium Medium Low
Miller & Son Technical support when introducing RFID
Main Supplier High Medium High
Mobita Not willing to introduce RFID
Main Supplier High High High
Motor Construction Inc.
Already introduced RFID. Reduced afford through replacement of Barcode systems
Supplier
High Low medium
Other suppliers To less market power to influence the project
Minor Suppliers
Medium Low Low
Customers Reduction of counterfeits. Less afford to control products
Customers Low Low Low